Multiple Local Keystone User Authorisation Failed with "AssertionError: User is disabled" Error

Problem

Local users failing to authorise and below mentioned error was observed in the keystone logs during the time of issue.

2022-06-14 14:37:29,304.304 2083 WARNING keystone.auth.plugins.core [req-a0fcf859-5081-4c7d-b08c-cccaea530f2e - - - - -] User is disabled: 8217XXXXXXXXXXXXXXXXXXd4d2: AssertionError: User is disabled: 8217XXXXXXXXXXXXXXXXXXd4d2

Environment

Platform9 Edge Cloud - v5.1 and Above

Cause

This issue has been observed after the Reboot or Migration activity of the Management Plane Host.
The exact cause of the issue is still unknown but it is suspected due to the mysql database corruption.
The similar issue can also be observed for qbert , resmgr and appbert local users which can result in authorisation failures for the respective components

Resolution

Check the value for last_active_at parameter in MySQL DB for the affected users and confirm that the date entry mentioned in there is very old.

# mysql keystone -e "select * from user;\G" | grep 1970

1633e4090cc841708654052ca307fddb        {"is_local": true, "email": null, "default_project": "328168c0ebdd4efbb6fdd4d873f35634"}        1       NULL    2021-07-26 08:30:37     1970-01-03       default
8afbec2f4d5043f68633bb68f465ffff        {"email": null, "description": null}    1       acee693e09c649de98324e053d63b648        2021-07-26 08:31:10     1970-01-03      default
a1af8eb6882c44f198dea1375345f1ef        {"email": null, "description": null}    1       acee693e09c649de98324e053d63b648        2021-07-26 08:31:09     1970-01-03      default
e3285eb41d0b4fed99649afa8568ba5e        {"email": null, "description": null}    1       acee693e09c649de98324e053d63b648        2021-07-26 08:33:44     1970-01-03      default

Check if the affected users are enabled or disabled using the command mentioned below.

# openstack user show admin@airctl.localnet --insecure -c enabled -v
START with options: [u'user', u'show', u'admin@airctl.localnet', u'--insecure', u'-c', u'enabled', u'-v']
command: user show -> openstackclient.identity.v3.user.ShowUser (auth=True)
Using auth plugin: password
+---------+-------+
| Field   | Value |
+---------+-------+
| enabled | False |
+---------+-------+

Check if the disable_user_account_days_inactive parameter is enabled in the keystone.conf file.

# less /etc/keystone/keystone.conf | grep -i "disable_user_account_days_inactive"
#disable_user_account_days_inactive = <None>
disable_user_account_days_inactive = 3650

Comment the disable_user_account_days_inactive parameter in the /etc/keystone/keystone.conf file and restart the keystone service.

# vi /etc/keystone/keystone.conf
----
#disable_user_account_days_inactive=3650
----

# systemctlrestarthttpd

If the qbert , resmgr and appbert users are also affected due to this issue then restart the pf9-resmgr , pf9-qbert and pf9-appbert services on the management plane.

# systemctl restart pf9-resmgr pf9-qbert pf9-appbert

This should help to resolve the authorisation issue with the respective user and service.

PreviousResetting RabbitMQ Database Caused Complete Host Disconnection from Management Plane NextPMK Stack Execution Fails For the Nodes That Have Hostnames With Uppercase Characters

Last updated 2 months ago

Good night

hashtagProblem

hashtagEnvironment

hashtagCause

hashtagResolution

Problem

Environment

Cause

Resolution