Unable to change user password when ENFORCE_PASSWORD_CHECK is True

I am not able to reproduce the issue with the master branch. What version of horizon and keystone are you using?

Hello Ying,

I'm using openstack pike and keystone V2

This happens only when I enable ENFORCE_PASSWORD_CHECK to True in local_settings.py

Change ENFORCE_PASSWORD_CHECK to True and restart apache2 service

Then when trying to change a user's password, I get an error saying Admin password is wrong.

Sudheer has attached the image. Thank you sudheer

The reason is IMO that api is trying to communicate via internalURL, which should be changed to adminURL.

I enabled the ENFORCE_PASSWORD_CHECK and was able to change a user's password with the admin password successfully. I use keystone v3 though.

Hello Ying,

Iam able to reproduce the same issue using openstack pike with keystone V3.

Also i think it is not good to communicate via internalURL as the current implementation uses. I think it is better change the endpoint or else it will cause problems in future

Hello Sudheer,

I tried with stable/pike branch and keystone v3 this time, and still can not reproduce this issue. Can you double check if the admin password you used is correct?

Hello Ying,

I have just tried it again with same mentioned configuration and iam able to reproduce it, Please find the attached screen shot just taken

Also in debugging session i have observed the following

(Pdb) api.keystone.user_verify_admin_password(request, admin_password)
False

The above api call is failing as a result the issue mentioned in this bug is coming.

I can reproduce the issue. I ran the latest horizon master branch f911d0dd406f60fa9df5891ff5760f2251fc96b0 by using runserver tox env (tox -e runserver). After adding ENFORCE_PASSWORD_CHECK = True to local_settings.py, I see the message "The admin password is incorrect.".

Note that I confirmed my admin password is correct by copying the password I typed in the "Change Password" form and then re-login horizon by using the copied password. I believe my admin password is the expected one.

After adding an error log message to 'except' clause of user_verify_admin_password in openstack_dashboard.api.keystone, I got the following error message.

  ERROR openstack_dashboard.api.keystone user_verify_admin_password exception: Invalid service catalog service: identity (ServiceCatalogException)

The exception class is ServiceCatalogException and the message is "Invalid service catalog service: identity"

Interestingly enough, the error message is different from the bug description....

This feature cannot work with Keystone v3, as neither user_domain_id, nor user_domain_name are passed to the keystone client here:

https://opendev.org/openstack/horizon/src/branch/master/openstack_dashboard/api/keystone.py#L472

The following diff fixes this issue:

diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py
index 38931e52d..0fb5d0b24 100644
--- a/openstack_dashboard/api/keystone.py
+++ b/openstack_dashboard/api/keystone.py
@@ -472,6 +472,7 @@ def user_verify_admin_password(request, admin_password):
         client.Client(
             username=request.user.username,
             password=admin_password,
+ user_domain_name=request.user.user_domain_name,
             insecure=insecure,
             cacert=cacert,
             auth_url=endpoint

Noted a case of this with a base install on Focal and Ussuri. The user account was not 'admin' but one with admin rights, and worked fine from CLI.

I can confirm this bug is still present in victoria and the proposed fix does work.

https://review.opendev.org/c/openstack/horizon/+/854005

Change abandoned by "Oleksandr Kozachenko <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/854005
Reason: False negative