Reviewed: https://review.opendev.org/c/openstack/keystone/+/924892 Committed: https://opendev.org/openstack/keystone/commit/e9513f8e4f25e1f20bc6fcab71d9177120000abf Submitter: "Zuul (22348)" Branch: master
commit e9513f8e4f25e1f20bc6fcab71d9177120000abf Author: Douglas Mendizábal <dmend...@redhat.com> Date: Fri Jul 19 17:10:11 2024 -0400 Add keystone-manage reset_last_active command This patch adds the `reset_last_active` subcommand to the `keystone-manage` command line tool. This subcommand will update every user in the database that has a null value in the `last_active_at` property to the current server time. This is necessary to prevent user lockout in deployments that have been running for a long time without `disable_user_account_days_inactive` and later decide to turn it on. This patch also includes a change to the logic that sets `last_active_at` to fix the root issue of the lockout. Closes-Bug: 2074018 Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2074018 Title: disable_user_account_days_inactive option locks out all users Status in OpenStack Identity (keystone): Fix Released Bug description: Enabling the option `[security_compliance] disable_user_account_days_inactive = X` disables all user accounts in deployments that have been running for longer than X. The root cause seems to be the way that the values of the `last_active_at` column in the `user` table are set. When the option is disabled, the `last_active_at` column is never updated, so it is null for all users. If you later decide to turn on this option for compliance reasons, the current logic in Keystone will use the value of `created_at` as the last time the user was active. For any deployment where the users were created more than the value of `disable_user_account_days_inactive` will result in all users being disabled including the admin user regardless of when the user last logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2074018/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp