Add special user options for domain user
those are automated users that are created by Heat and the should not be subject to restrictions possibly configured in Keystone for security compliance, as those may break automated nature of things. Create domain users with several available user options that will make Keystone ignore: - password expiry - requirement to change the password on first use - lockout after failed auth attempts There are more things that must be done to properly secure those users from becoming non-working, but this will be proposed in the followup patches. Story: 2005210 Task: 29988 Change-Id: I3152ddb82426cf66f2bd8ed69f53c77c653142bf
This commit is contained in:
parent
86e41a8a8f
commit
d695602397
@ -328,6 +328,17 @@ class KsClientWrapper(object):
|
|||||||
# FIXME(shardy): Legacy fallback for folks using old heat.conf
|
# FIXME(shardy): Legacy fallback for folks using old heat.conf
|
||||||
# files which lack domain configuration
|
# files which lack domain configuration
|
||||||
return self.create_stack_user(username=username, password=password)
|
return self.create_stack_user(username=username, password=password)
|
||||||
|
# We are creating automated user, for which most of security
|
||||||
|
# compliance restrictions possibly set in Keystone should not apply,
|
||||||
|
# https://docs.openstack.org/keystone/latest/admin/security-compliance.html
|
||||||
|
# TODO(pas-ha) find a way to deal with password_regex and
|
||||||
|
# disable_user_account_days_inactive
|
||||||
|
# TODO(pas-ha) think if we also need to add lock_password too
|
||||||
|
user_options = {
|
||||||
|
"ignore_change_password_upon_first_use": True,
|
||||||
|
"ignore_password_expiry": True,
|
||||||
|
"ignore_lockout_failure_attempts": True
|
||||||
|
}
|
||||||
# We add the new user to a special keystone role
|
# We add the new user to a special keystone role
|
||||||
# This role is designed to allow easier differentiation of the
|
# This role is designed to allow easier differentiation of the
|
||||||
# heat-generated "stack users" which will generally have credentials
|
# heat-generated "stack users" which will generally have credentials
|
||||||
@ -339,7 +350,8 @@ class KsClientWrapper(object):
|
|||||||
# Create user
|
# Create user
|
||||||
user = self.domain_admin_client.users.create(
|
user = self.domain_admin_client.users.create(
|
||||||
name=self._get_username(username), password=password,
|
name=self._get_username(username), password=password,
|
||||||
default_project=project_id, domain=self.stack_domain_id)
|
default_project=project_id, domain=self.stack_domain_id,
|
||||||
|
options=user_options)
|
||||||
# Add to stack user role
|
# Add to stack user role
|
||||||
LOG.debug("Adding user %(user)s to role %(role)s",
|
LOG.debug("Adding user %(user)s to role %(role)s",
|
||||||
{'user': user.id, 'role': role_id})
|
{'user': user.id, 'role': role_id})
|
||||||
|
@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||||||
ctx = utils.dummy_context()
|
ctx = utils.dummy_context()
|
||||||
self.patchobject(ctx, '_create_auth_plugin')
|
self.patchobject(ctx, '_create_auth_plugin')
|
||||||
ctx.trust_id = None
|
ctx.trust_id = None
|
||||||
|
user_options = dict(ignore_password_expiry=True,
|
||||||
|
ignore_change_password_upon_first_use=True,
|
||||||
|
ignore_lockout_failure_attempts=True)
|
||||||
|
|
||||||
# mock keystone client functions
|
# mock keystone client functions
|
||||||
self._stub_domain_admin_client()
|
self._stub_domain_admin_client()
|
||||||
@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||||||
name='duser',
|
name='duser',
|
||||||
password=None,
|
password=None,
|
||||||
default_project='aproject',
|
default_project='aproject',
|
||||||
domain='adomain123')
|
domain='adomain123',
|
||||||
|
options=user_options)
|
||||||
self.mock_ks_v3_client.roles.grant.assert_called_once_with(
|
self.mock_ks_v3_client.roles.grant.assert_called_once_with(
|
||||||
project='aproject',
|
project='aproject',
|
||||||
role='4546',
|
role='4546',
|
||||||
|
Loading…
Reference in New Issue
Block a user