Public bug reported: When a user is updated [1] the user object is re-instantiated from the current user object.
In this user dictionary, the password attribute is the hashed password, which can easily be more than the preconfigured 72 chars (when using `bcrypt` method). We have been running keystone since icehouse version, so we still have a lot of passwords that use the `sha512crypt` method (which was the default back then [2]), which are more than 72 chars, easy. For example: ``` $6$rounds=40000$tgLsnccAfTiJSrKH$/k2pMchhql2t9GbFnHHGdr34v0nTKCgjj3yKct/gv5sSaMeXkUwH641ZVdGV3plOt5JWMgpem6GAtOTlGC.iO1 ``` Please note, nothing wrong happens; the password is not actually truncated when saved or updated, as this is handled separately [3]. One way to go about it, is to pop the `password` field from the `old_user_dict`, so the warning only pops up whenever a user really updates it's password. [1] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L225 [2] https://github.com/openstack/keystone/blob/kilo-eol/keystone/common/utils.py#L127 [3] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L239 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2060441 Title: Warning log messages about password being truncated upon user update Status in OpenStack Identity (keystone): New Bug description: When a user is updated [1] the user object is re-instantiated from the current user object. In this user dictionary, the password attribute is the hashed password, which can easily be more than the preconfigured 72 chars (when using `bcrypt` method). We have been running keystone since icehouse version, so we still have a lot of passwords that use the `sha512crypt` method (which was the default back then [2]), which are more than 72 chars, easy. For example: ``` $6$rounds=40000$tgLsnccAfTiJSrKH$/k2pMchhql2t9GbFnHHGdr34v0nTKCgjj3yKct/gv5sSaMeXkUwH641ZVdGV3plOt5JWMgpem6GAtOTlGC.iO1 ``` Please note, nothing wrong happens; the password is not actually truncated when saved or updated, as this is handled separately [3]. One way to go about it, is to pop the `password` field from the `old_user_dict`, so the warning only pops up whenever a user really updates it's password. [1] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L225 [2] https://github.com/openstack/keystone/blob/kilo-eol/keystone/common/utils.py#L127 [3] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L239 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2060441/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
