PCI-DSS Query Password Expired Users¶
Blueprint pci-dss-query-password-expired-users
Problem Description¶
Currently, when using the:
keystone.conf [security_compliance] password_expires_days
value, when a user’s password expires and then must be reset by an
administrator, there is no way to query a list of users who are in
this state of password expiration. We would like the ability to retrieve
a list of users whose passwords has expired for technical support and
auditing purposes.
Proposed Change¶
A new query will be added to the existing:
GET /v3/users
API call that would allow an administrator to query a list of users who are
currently locked-out due to password expiration. This will allow operators to
set up jobs to generate necessary audit lists and notifications.
Query list of users based on their passwords’ expiry time
Gets a list of users based on their password expiry time.
GET /v3/users?password_expires_at={operator}:{timestamp}
Where {timestamp} is a datetime in the format of YYYY-MM-DDTHH:mm:ssZ
and {operator} can be either lt or gt. Note that
user can also do equality matching via
/v3/users?password_expires_at={timestamp}; however,
due to the nature of this query, it may not be as useful.
http://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering
Examples¶
Query list of users whose password has expired before a given timestamp.
GET /v3/users?password_expires_at=lt:2016-10-10T15:30:22Z
Response
{
"links": {
"next": null,
"previous": null,
"self": "http://example.com/identity/v3/users"
},
"users": [
{
"domain_id": "default",
"enabled": false,
"id": "514a66612f53412796952414898a6b99",
"name": "someuser1",
"links": {
"self": "http://example.com/identity/v3/users/514a66612f53412796952414898a6b99"
},
"password_expires_at": "2016-07-07T15:32:17.000000"
},
{
"domain_id": "default",
"enabled": true,
"id": "ce8a21d43bc64ce6840346f0a14a7fa9",
"name": "someuser4",
"links": {
"self": "http://example.com/identity/v3/users/ce8a21d43bc64ce6840346f0a14a7fa9"
},
"password_expires_at": "2016-10-09T00:21:04.000000"
}
]
}
Query list of users whose password will expire after a given timestamp
GET /v3/users?password_expires_at=gt:2016-10-14T15:30:22Z
Response
{
"links": {
"next": null,
"previous": null,
"self": "http://example.com/identity/v3/users"
},
"users": [
{
"domain_id": "default",
"enabled": false,
"id": "514a66612f53412796952414898a6b99",
"name": "someuser1",
"links": {
"self": "http://example.com/identity/v3/users/514a66612f53412796952414898a6b99"
},
"password_expires_at": "2016-10-17T15:32:17.000000"
}
]
}
Alternatives¶
Operators can directly query the SQL backend for users whose password has
expired by checking the password_expires_at field.
Security Impact¶
None. The added API change has no additional security impact.
Notifications Impact¶
No additional notification will be added for this query.
Other End User Impact¶
None. There will be no additional end user impact.
Performance Impact¶
This call may fail if there is a very large number of users since pagination is currently not supported.
Other Deployer Impact¶
None. The added API change has no additional deployer impact.
Developer Impact¶
None. The added API change has no additional developer impact.
Implementation¶
Assignee(s)¶
- Primary assignee:
gagehugo <gagehugo@gmail.com>
- Other contributors:
lamt <tinlam@gmail.com>
Work Items¶
Implement new user query.
Implement bindings in
python-keystoneclient.Implement unit tests.
Document new user query usage.
Dependencies¶
This blueprint depends on the following:
Documentation Impact¶
Documentation in api-ref will be updated to include the added query parameter and its usage.
