[Bug 1728031] Please test proposed package

James Page 1728031 at bugs.launchpad.net
Fri Jun 28 09:04:40 UTC 2024


Hello lahari, or anyone else affected,

Accepted horizon into bobcat-proposed. The package will build now and be
available in the Ubuntu Cloud Archive in a few hours, and then in the
-proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:bobcat-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-bobcat-needed to verification-bobcat-done. If it does
not fix the bug for you, please add a comment stating that, and change
the tag to verification-bobcat-failed. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1728031

Title:
  [SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is
  True

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive antelope series:
  New
Status in Ubuntu Cloud Archive bobcat series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Committed
Status in Ubuntu Cloud Archive zed series:
  Fix Released
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Jammy:
  Fix Released
Status in horizon source package in Mantic:
  Fix Released
Status in horizon source package in Noble:
  Fix Released
Status in horizon source package in Oracular:
  Fix Released

Bug description:
  After following the security hardening guidelines:
  https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
  After this check is enabled
  Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
  The user password cannot be changed.
  The form submission fails by displaying that admin password is incorrect.

  The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
  user_verify_admin_password method uses internal url to communicate with the keystone.
  line 500:
  endpoint = _get_endpoint_url(request, 'internalURL')
  This should be changed to adminURL

  ===============
  SRU Description
  ===============

  [Impact]

  Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
  1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
  2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
  The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.

  [Test Plan]

  Part 1/2) Test case

  1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True

  1a. Deploy openstack env with horizon/openstack-dashboard

  1b. Set up admin user in a domain not named "default", such as
  "admin_domain".

  1c. Set up any other user, such as demo. Preferably in the
  admin_domain as well for convenience.

  2. Reproduce the bug

  2a. Login as admin and navigate to Identity > Users

  2b. On the far right-hand side of the demo user row, click the options
  button and select Change Password

  2c. Type in any new password, repeat it below, and type in the admin
  password. Click Save and you should see a message "The admin password
  is incorrect"

  3. Install package that contains the fixed code

  4. Confirm fix

  5a. Repeat steps 2a-2c

  5b. The password should now be saved successfully

  Part 2/2) Expected failures

  Check that password changes will continue to fail 
  in scenarios where it is expected to fail, such as:
  - admin password incorrect
  - user not authorized cases
  (comment #35)

  [Where problems could occur]

  The code is a 1-line change that was tested in upstream CI (without
  the addition of bug-specific functional tests) from master(Caracal) to
  stable/zed without any issue captured. No side effects or risks are
  foreseen. Usage of fix [1] has also been tested manually without fix
  [2] and still worked. Worst case scenario, the ability to change
  password that currently does not work will still not work, because the
  code change is isolated to the specific function that validates the
  authenticity of the password used.

  Regressions would likely manifest when trying to change user
  passwords.

  [Other Info]

  None.

  [1] https://review.opendev.org/c/openstack/horizon/+/913250
  [2] https://review.opendev.org/c/openstack/horizon/+/844574

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1728031/+subscriptions




More information about the Ubuntu-openstack-bugs mailing list