Public bug reported: Heat's bug: https://storyboard.openstack.org/#!/story/2005210
Heat creates service users in its dedicated domain on the fly. These are crucial in situations that require deferred authentications, for example autoscaling. There's a password_regex option in [security_compliance] section in Keystone that enforces passwords to pass a certain regex, thus enforcing their strength. However Heat has no way to generate random passwords for its users that will certainly pass any such regex set. In fact the problem of generating a random string from arbitrary regex is quite a non trivial one and for now solutions/libraries exist only when regex uses only a certain subset of a full regex spec. When generating passwords for its domain users Heat creates quite a strong password (32 alphanum+special symbols), but still it may fail a custom regex set in Keystone. It is proposed to add another user option (ignore_password_regex) similar to those already existing in Keystone to override the regex enforcement of the password for given user. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1827435 Title: add user option to ignore password_regex Status in OpenStack Identity (keystone): New Bug description: Heat's bug: https://storyboard.openstack.org/#!/story/2005210 Heat creates service users in its dedicated domain on the fly. These are crucial in situations that require deferred authentications, for example autoscaling. There's a password_regex option in [security_compliance] section in Keystone that enforces passwords to pass a certain regex, thus enforcing their strength. However Heat has no way to generate random passwords for its users that will certainly pass any such regex set. In fact the problem of generating a random string from arbitrary regex is quite a non trivial one and for now solutions/libraries exist only when regex uses only a certain subset of a full regex spec. When generating passwords for its domain users Heat creates quite a strong password (32 alphanum+special symbols), but still it may fail a custom regex set in Keystone. It is proposed to add another user option (ignore_password_regex) similar to those already existing in Keystone to override the regex enforcement of the password for given user. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1827435/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp