diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-07-11 22:08:20 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-07-11 22:08:20 +0000 |
commit | ee74d157abfcae31a8496827e808157cf9611267 (patch) | |
tree | 15cd8a25f8b87182317ef6dec36b1c23d248e51f | |
parent | 6d47d8be5efc49fab933f37c67fd45e92b5fc9be (diff) | |
parent | cbbcf241efd97ea6dfbad6f474913afb48b9b652 (diff) | |
download | keystone-ee74d157abfcae31a8496827e808157cf9611267.tar.gz |
Merge "Bootstrap: enable and reset password for existing users" into stable/mitaka
-rw-r--r-- | keystone/cmd/cli.py | 18 | ||||
-rw-r--r-- | keystone/tests/unit/test_cli.py | 22 |
2 files changed, 40 insertions, 0 deletions
diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py index f95007e0e..a1f614fcf 100644 --- a/keystone/cmd/cli.py +++ b/keystone/cmd/cli.py @@ -215,6 +215,24 @@ class BootStrap(BaseApp): default_domain['id']) LOG.info(_LI('User %s already exists, skipping creation.'), self.username) + + # Remember whether the user was enabled or not, so that we can + # provide useful logging output later. + was_enabled = user['enabled'] + + # To keep bootstrap idempotent, try to reset the user's password + # and ensure that they are enabled. This allows bootstrap to act as + # a recovery tool, without having to create a new user. + user = self.identity_manager.update_user( + user['id'], + {'enabled': True, + 'password': self.password}) + LOG.info(_LI('Reset password for user %s.'), self.username) + if not was_enabled and user['enabled']: + # Although we always try to enable the user, this log message + # only makes sense if we know that the user was previously + # disabled. + LOG.info(_LI('Enabled user %s.'), self.username) except exception.UserNotFound: user = self.identity_manager.create_user( user_ref={'name': self.username, diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 06f2e1727..7e53ca624 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -118,6 +118,28 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): self._do_test_bootstrap(bootstrap) self._do_test_bootstrap(bootstrap) + def test_bootstrap_recovers_user(self): + bootstrap = cli.BootStrap() + self._do_test_bootstrap(bootstrap) + + # Completely lock the user out. + user_id = bootstrap.identity_manager.get_user_by_name( + bootstrap.username, + 'default')['id'] + bootstrap.identity_manager.update_user( + user_id, + {'enabled': False, + 'password': uuid.uuid4().hex}) + + # The second bootstrap run will recover the account. + self._do_test_bootstrap(bootstrap) + + # Sanity check that the original password works again. + bootstrap.identity_manager.authenticate( + {}, + user_id, + bootstrap.password) + class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase): |