openstack/heat
Code Issues Proposed changes

Merge "Add special user options for domain user"

Browse Source
This commit is contained in:
Zuul 2019-05-08 14:44:06 +00:00 committed by Gerrit Code Review
commit 563616967d
2 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
heat/engine/clients/os/keystone/heat_keystoneclient.py
View File

@ -328,6 +328,17 @@ class KsClientWrapper(object):
# FIXME(shardy): Legacy fallback for folks using old heat.conf # FIXME(shardy): Legacy fallback for folks using old heat.conf
# files which lack domain configuration # files which lack domain configuration
return self.create_stack_user(username=username, password=password) return self.create_stack_user(username=username, password=password)
# We are creating automated user, for which most of security
# compliance restrictions possibly set in Keystone should not apply,
# https://docs.openstack.org/keystone/latest/admin/security-compliance.html
# TODO(pas-ha) find a way to deal with password_regex and
# disable_user_account_days_inactive
# TODO(pas-ha) think if we also need to add lock_password too
user_options = {
"ignore_change_password_upon_first_use": True,
"ignore_password_expiry": True,
"ignore_lockout_failure_attempts": True
}
# We add the new user to a special keystone role # We add the new user to a special keystone role
# This role is designed to allow easier differentiation of the # This role is designed to allow easier differentiation of the
# heat-generated "stack users" which will generally have credentials # heat-generated "stack users" which will generally have credentials
@ -339,7 +350,8 @@ class KsClientWrapper(object):
# Create user # Create user
user = self.domain_admin_client.users.create( user = self.domain_admin_client.users.create(
name=self._get_username(username), password=password, name=self._get_username(username), password=password,
default_project=project_id, domain=self.stack_domain_id) default_project=project_id, domain=self.stack_domain_id,
options=user_options)
# Add to stack user role # Add to stack user role
LOG.debug("Adding user %(user)s to role %(role)s", LOG.debug("Adding user %(user)s to role %(role)s",
{'user': user.id, 'role': role_id}) {'user': user.id, 'role': role_id})

6
heat/tests/clients/test_heat_client.py
View File

@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
ctx = utils.dummy_context() ctx = utils.dummy_context()
self.patchobject(ctx, '_create_auth_plugin') self.patchobject(ctx, '_create_auth_plugin')
ctx.trust_id = None ctx.trust_id = None
user_options = dict(ignore_password_expiry=True,
ignore_change_password_upon_first_use=True,
ignore_lockout_failure_attempts=True)
# mock keystone client functions # mock keystone client functions
self._stub_domain_admin_client() self._stub_domain_admin_client()
@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
name='duser', name='duser',
password=None, password=None,
default_project='aproject', default_project='aproject',
domain='adomain123') domain='adomain123',
options=user_options)
self.mock_ks_v3_client.roles.grant.assert_called_once_with( self.mock_ks_v3_client.roles.grant.assert_called_once_with(
project='aproject', project='aproject',
role='4546', role='4546',