Blueprint pci-dss-query-password-expired-users
Currently, when using the: keystone.conf [security_compliance] password_expires_days value, when a user’s password expires and then must be reset by an administrator, there is no way to query a list of users who are in this state of password expiration. We would like the ability to retrieve a list of users whose passwords has expired for technical support and auditing purposes.
A new query will be added to the existing: GET /v3/users API call that would allow an administrator to query a list of users who are currently locked-out due to password expiration. This will allow operators to set up jobs to generate necessary audit lists and notifications.
Query list of users based on their passwords’ expiry time
Gets a list of users based on their password expiry time.
GET /v3/users?password_expires_at={operator}:{timestamp}
Where {timestamp} is a datetime in the format of YYYY-MM-DDTHH:mm:ssZ and {operator} can be either lt or gt. Note that user can also do equality matching via /v3/users?password_expires_at={timestamp}; however, due to the nature of this query, it may not be as useful.
http://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering
Query list of users whose password has expired before a given timestamp.
GET /v3/users?password_expires_at=lt:2016-10-10T15:30:22Z
Response
{
"links": {
"next": null,
"previous": null,
"self": "http://example.com/identity/v3/users"
},
"users": [
{
"domain_id": "default",
"enabled": false,
"id": "514a66612f53412796952414898a6b99",
"name": "someuser1",
"links": {
"self": "http://example.com/identity/v3/users/514a66612f53412796952414898a6b99"
},
"password_expires_at": "2016-07-07T15:32:17.000000"
},
{
"domain_id": "default",
"enabled": true,
"id": "ce8a21d43bc64ce6840346f0a14a7fa9",
"name": "someuser4",
"links": {
"self": "http://example.com/identity/v3/users/ce8a21d43bc64ce6840346f0a14a7fa9"
},
"password_expires_at": "2016-10-09T00:21:04.000000"
}
]
}
Query list of users whose password will expire after a given timestamp
GET /v3/users?password_expires_at=gt:2016-10-14T15:30:22Z
Response
{
"links": {
"next": null,
"previous": null,
"self": "http://example.com/identity/v3/users"
},
"users": [
{
"domain_id": "default",
"enabled": false,
"id": "514a66612f53412796952414898a6b99",
"name": "someuser1",
"links": {
"self": "http://example.com/identity/v3/users/514a66612f53412796952414898a6b99"
},
"password_expires_at": "2016-10-17T15:32:17.000000"
}
]
}
Operators can directly query the SQL backend for users whose password has expired by checking the password_expires_at field.
None. The added API change has no additional security impact.
No additional notification will be added for this query.
None. There will be no additional end user impact.
This call may fail if there is a very large number of users since pagination is currently not supported.
None. The added API change has no additional deployer impact.
None. The added API change has no additional developer impact.
Documentation in api-ref will be updated to include the added query parameter and its usage.