Add special user options for domain user

those are automated users that are created by Heat and the should
not be subject to restrictions possibly configured in Keystone
for security compliance, as those may break automated nature of things.

Create domain users with several available user options that will
make Keystone ignore:
- password expiry
- requirement to change the password on first use
- lockout after failed auth attempts

There are more things that must be done to properly secure those users
from becoming non-working, but this will be proposed in the followup
patches.

Story: 2005210
Task: 29988

Change-Id: I3152ddb82426cf66f2bd8ed69f53c77c653142bf
This commit is contained in:
Pavlo Shchelokovskyy 2019-05-02 15:22:55 -06:00
parent 86e41a8a8f
commit d695602397
2 changed files with 18 additions and 2 deletions

View File

@ -328,6 +328,17 @@ class KsClientWrapper(object):
# FIXME(shardy): Legacy fallback for folks using old heat.conf # FIXME(shardy): Legacy fallback for folks using old heat.conf
# files which lack domain configuration # files which lack domain configuration
return self.create_stack_user(username=username, password=password) return self.create_stack_user(username=username, password=password)
# We are creating automated user, for which most of security
# compliance restrictions possibly set in Keystone should not apply,
# https://docs.openstack.org/keystone/latest/admin/security-compliance.html
# TODO(pas-ha) find a way to deal with password_regex and
# disable_user_account_days_inactive
# TODO(pas-ha) think if we also need to add lock_password too
user_options = {
"ignore_change_password_upon_first_use": True,
"ignore_password_expiry": True,
"ignore_lockout_failure_attempts": True
}
# We add the new user to a special keystone role # We add the new user to a special keystone role
# This role is designed to allow easier differentiation of the # This role is designed to allow easier differentiation of the
# heat-generated "stack users" which will generally have credentials # heat-generated "stack users" which will generally have credentials
@ -339,7 +350,8 @@ class KsClientWrapper(object):
# Create user # Create user
user = self.domain_admin_client.users.create( user = self.domain_admin_client.users.create(
name=self._get_username(username), password=password, name=self._get_username(username), password=password,
default_project=project_id, domain=self.stack_domain_id) default_project=project_id, domain=self.stack_domain_id,
options=user_options)
# Add to stack user role # Add to stack user role
LOG.debug("Adding user %(user)s to role %(role)s", LOG.debug("Adding user %(user)s to role %(role)s",
{'user': user.id, 'role': role_id}) {'user': user.id, 'role': role_id})

View File

@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
ctx = utils.dummy_context() ctx = utils.dummy_context()
self.patchobject(ctx, '_create_auth_plugin') self.patchobject(ctx, '_create_auth_plugin')
ctx.trust_id = None ctx.trust_id = None
user_options = dict(ignore_password_expiry=True,
ignore_change_password_upon_first_use=True,
ignore_lockout_failure_attempts=True)
# mock keystone client functions # mock keystone client functions
self._stub_domain_admin_client() self._stub_domain_admin_client()
@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
name='duser', name='duser',
password=None, password=None,
default_project='aproject', default_project='aproject',
domain='adomain123') domain='adomain123',
options=user_options)
self.mock_ks_v3_client.roles.grant.assert_called_once_with( self.mock_ks_v3_client.roles.grant.assert_called_once_with(
project='aproject', project='aproject',
role='4546', role='4546',