Add special user options for domain user

those are automated users that are created by Heat and the should not be subject to restrictions possibly configured in Keystone for security compliance, as those may break automated nature of things. Create domain users with several available user options that will make Keystone ignore: - password expiry - requirement to change the password on first use - lockout after failed auth attempts There are more things that must be done to properly secure those users from becoming non-working, but this will be proposed in the followup patches. Story: 2005210 Task: 29988 Change-Id: I3152ddb82426cf66f2bd8ed69f53c77c653142bf
2019-05-02 15:22:55 -06:00 · 2019-05-02 15:22:55 -06:00 · d695602397
commit d695602397
parent 86e41a8a8f
2 changed files with 18 additions and 2 deletions
--- a/heat/engine/clients/os/keystone/heat_keystoneclient.py
+++ b/heat/engine/clients/os/keystone/heat_keystoneclient.py
@ -328,6 +328,17 @@ class KsClientWrapper(object):
            # FIXME(shardy): Legacy fallback for folks using old heat.conf
            # files which lack domain configuration
            return self.create_stack_user(username=username, password=password)
+        # We are creating automated user, for which most of security
+        # compliance restrictions possibly set in Keystone should not apply,
+        # https://docs.openstack.org/keystone/latest/admin/security-compliance.html
+        # TODO(pas-ha) find a way to deal with password_regex and
+        # disable_user_account_days_inactive
+        # TODO(pas-ha) think if we also need to add lock_password too
+        user_options = {
+            "ignore_change_password_upon_first_use": True,
+            "ignore_password_expiry": True,
+            "ignore_lockout_failure_attempts": True
+        }
        # We add the new user to a special keystone role
        # This role is designed to allow easier differentiation of the
        # heat-generated "stack users" which will generally have credentials
@ -339,7 +350,8 @@ class KsClientWrapper(object):
            # Create user
            user = self.domain_admin_client.users.create(
                name=self._get_username(username), password=password,
-                default_project=project_id, domain=self.stack_domain_id)
+                default_project=project_id, domain=self.stack_domain_id,
+                options=user_options)
            # Add to stack user role
            LOG.debug("Adding user %(user)s to role %(role)s",
                      {'user': user.id, 'role': role_id})
--- a/heat/tests/clients/test_heat_client.py
+++ b/heat/tests/clients/test_heat_client.py
@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
        ctx = utils.dummy_context()
        self.patchobject(ctx, '_create_auth_plugin')
        ctx.trust_id = None
+        user_options = dict(ignore_password_expiry=True,
+                            ignore_change_password_upon_first_use=True,
+                            ignore_lockout_failure_attempts=True)

        # mock keystone client functions
        self._stub_domain_admin_client()
@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
            name='duser',
            password=None,
            default_project='aproject',
-            domain='adomain123')
+            domain='adomain123',
+            options=user_options)
        self.mock_ks_v3_client.roles.grant.assert_called_once_with(
            project='aproject',
            role='4546',