Multiple Local Keystone User Authorisation Failed with "AssertionError: User is disabled" Error

Problem

Local users failing to authorise and below mentioned error was observed in the keystone logs during the time of issue.

Bash
    
2022-06-14 14:37:29,304.304 2083 WARNING keystone.auth.plugins.core [req-a0fcf859-5081-4c7d-b08c-cccaea530f2e - - - - -] User is disabled: 8217XXXXXXXXXXXXXXXXXXd4d2: AssertionError: User is disabled: 8217XXXXXXXXXXXXXXXXXXd4d2
Copy

Environment

Platform9 Edge Cloud - v5.1 and Above

Cause

This issue has been observed after the Reboot or Migration activity of the Management Plane Host.
The exact cause of the issue is still unknown but it is suspected due to the mysql database corruption.
The similar issue can also be observed for qbert , resmgr and appbert local users which can result in authorisation failures for the respective components

Resolution

Check the value for last_active_at parameter in MySQL DB for the affected users and confirm that the date entry mentioned in there is very old.

mysql
    
​x
    
# mysql keystone -e "select * from user;\G" | grep 1970​1633e4090cc841708654052ca307fddb        {"is_local": true, "email": null, "default_project": "328168c0ebdd4efbb6fdd4d873f35634"}        1       NULL    2021-07-26 08:30:37     1970-01-03       default8afbec2f4d5043f68633bb68f465ffff        {"email": null, "description": null}    1       acee693e09c649de98324e053d63b648        2021-07-26 08:31:10     1970-01-03      defaulta1af8eb6882c44f198dea1375345f1ef        {"email": null, "description": null}    1       acee693e09c649de98324e053d63b648        2021-07-26 08:31:09     1970-01-03      defaulte3285eb41d0b4fed99649afa8568ba5e        {"email": null, "description": null}    1       acee693e09c649de98324e053d63b648        2021-07-26 08:33:44     1970-01-03      default
Copy

Check if the affected users are enabled or disabled using the command mentioned below.

Bash
    
 
# openstack user show admin@airctl.localnet --insecure -c enabled -vSTART with options: [u'user', u'show', u'admin@airctl.localnet', u'--insecure', u'-c', u'enabled', u'-v']command: user show -> openstackclient.identity.v3.user.ShowUser (auth=True)Using auth plugin: password+---------+-------+| Field   | Value |+---------+-------+| enabled | False |+---------+-------+
Copy

Check if the disable_user_account_days_inactive parameter is enabled in the keystone.conf file.

Bash
    
 
# less /etc/keystone/keystone.conf | grep -i "disable_user_account_days_inactive"#disable_user_account_days_inactive = <None>disable_user_account_days_inactive = 3650
Copy

Comment the disable_user_account_days_inactive parameter in the /etc/keystone/keystone.conf file and restart the keystone service.

command
    
 
# vi /etc/keystone/keystone.conf----#disable_user_account_days_inactive=3650----​# systemctlrestarthttpd
Copy

If the qbert , resmgr and appbert users are also affected due to this issue then restart the pf9-resmgr , pf9-qbert and pf9-appbert services on the management plane.

Bash
    
 
# systemctl restart pf9-resmgr pf9-qbert pf9-appbert
Copy

This should help to resolve the authorisation issue with the respective user and service.

Last updated on

Was this page helpful?