Public bug reported:
Heat's bug: https://storyboard.openstack.org/#!/story/2005210
Heat creates service users in its dedicated domain on the fly. These are
crucial in situations that require deferred authentications, for example
autoscaling.
There's a password_regex option in [security_compliance] section in
Keystone that enforces passwords to pass a certain regex, thus enforcing
their strength.
However Heat has no way to generate random passwords for its users that
will certainly pass any such regex set. In fact the problem of
generating a random string from arbitrary regex is quite a non trivial
one and for now solutions/libraries exist only when regex uses only a
certain subset of a full regex spec.
When generating passwords for its domain users Heat creates quite a
strong password (32 alphanum+special symbols), but still it may fail a
custom regex set in Keystone.
It is proposed to add another user option (ignore_password_regex)
similar to those already existing in Keystone to override the regex
enforcement of the password for given user.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1827435
Title:
add user option to ignore password_regex
Status in OpenStack Identity (keystone):
New
Bug description:
Heat's bug: https://storyboard.openstack.org/#!/story/2005210
Heat creates service users in its dedicated domain on the fly. These
are crucial in situations that require deferred authentications, for
example autoscaling.
There's a password_regex option in [security_compliance] section in
Keystone that enforces passwords to pass a certain regex, thus
enforcing their strength.
However Heat has no way to generate random passwords for its users
that will certainly pass any such regex set. In fact the problem of
generating a random string from arbitrary regex is quite a non trivial
one and for now solutions/libraries exist only when regex uses only a
certain subset of a full regex spec.
When generating passwords for its domain users Heat creates quite a
strong password (32 alphanum+special symbols), but still it may fail a
custom regex set in Keystone.
It is proposed to add another user option (ignore_password_regex)
similar to those already existing in Keystone to override the regex
enforcement of the password for given user.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1827435/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
