)]}'
{".zuul.yaml":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"fdda4d29c2986ca122af5bb1d04556a24f977418","unresolved":true,"context_lines":[{"line_number":358,"context_line":"      devstack_localrc:"},{"line_number":359,"context_line":"        DATABASE_PASSWORD: secretdatabase"},{"line_number":360,"context_line":"        RABBIT_PASSWORD: secretrabbit"},{"line_number":361,"context_line":"        ADMIN_PASSWORD: secretadmin1"},{"line_number":362,"context_line":"        SERVICE_PASSWORD: secretservice1"},{"line_number":363,"context_line":"        NETWORK_GATEWAY: 10.1.0.1"},{"line_number":364,"context_line":"        FIXED_RANGE: 10.1.0.0/20"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"68ed5e1e_43399df5","line":361,"updated":"2025-08-13 18:22:46.000000000","message":"why is this requried.\n\nwe new feature should not be enabled by default so you shoudl not need to modify the base job.","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"5286209d21f35913980b4bfda34f4d72e12f875c","unresolved":true,"context_lines":[{"line_number":358,"context_line":"      devstack_localrc:"},{"line_number":359,"context_line":"        DATABASE_PASSWORD: secretdatabase"},{"line_number":360,"context_line":"        RABBIT_PASSWORD: secretrabbit"},{"line_number":361,"context_line":"        ADMIN_PASSWORD: secretadmin1"},{"line_number":362,"context_line":"        SERVICE_PASSWORD: secretservice1"},{"line_number":363,"context_line":"        NETWORK_GATEWAY: 10.1.0.1"},{"line_number":364,"context_line":"        FIXED_RANGE: 10.1.0.0/20"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"dd163248_313fc830","line":361,"in_reply_to":"68ed5e1e_43399df5","updated":"2025-08-14 17:32:06.000000000","message":"Thanks for the review, @smooney@redhat.com . Unfortunately, the answer to this is a bit complicated.  I am also unsure about what devstack considers a \"new feature\", so I\u0027ll explain my reasoning for this change from a Keystone point of view, and hope that we can arrive at a solution that works for both of us.\n\nFrom a Keystone perspective, the feature in question here is \"Security Compliance\" as documented in [1].  This feature encompasses several options in keystone.conf that are all grouped in the `[security_compliance]` section of the config file.\n\nDevstack already has a flag for this feature: `$KEYSTONE_SECURITY_COMPLIANCE_ENABLED` [2].  Tempest also has a matching flag that enables/disables the test suite for all Security Compliance tests: `[identity-feature-enabled]\\security_compliance` [3] This option in tempest is set by devstack in tempest.conf using the same existing flag. [4]\n\nGiven that devstack already has this flag that encompasses all currently supported options for [security_compliance], I would prefer not to add another sub-flag that only affects a single option in this group.  I want to find a path forward that does not require the addition of a `KEYSTONE_ENFORCE_PASSWORD_REGEX` flag because:\n\n* It splits the options in [security_compliance] into flags that affect some options but not others.\n* It forces us to also introduce additional feature flags in Tempest to reflect the values of the flags here\n* It would force us to split the Security Compliance test suite in tempest into separate chunks that would need to consider all relevant flags to determine whether they can be run or not.\n* We want to continue to improve Security Compliance testing to encompass all existing [security_compliance] options [5] and I don\u0027t want to have to add individual flags every time we add support for another option in the future.\n\nThere\u0027s two reasons why this change is made here for the devstack-base job:\n* `$KEYSTONE_SECURITY_COMPLIANCE_ENABLED` defaults to `True` [2].\n* The proposed default value for the regex (`\u0027^(?\u003d.*\\d)(?\u003d.*[a-zA-Z]).{7,}$\u0027`) requires one digit.\n\nBecause devstack-base does not disable the KEYSTONE_SECURITY_COMPLIANCE_ENABLED flag, all jobs that inherit from devstack-base are opting-in to running the security test suite in tempest.  When more test are added in tempest, they get executed by every job as well.\n\nWe chose this default regex because it\u0027s the value that is documented in the admin [linked in commit message], as well as the help string for the configuration option. [6]\n\nWe have been discussing this patch for the last few weeks during the weekly IRC meetings. [7][8] and we did talk about a few other options:\n\n* Use a simpler default regex that does not require this change to the default passwords.  The downside of this is that it limits what kinds of test you can write in tempest, but we could still use the existing feature flags in devstack and tempest.\n* Use a blank default regex - We tried this already, and it is how we found that all jobs are opting-in to using Security Compliance.  Making this work requires splitting up the security compliance test suite with an additional tempest flag to indicate which jobs require a regex to be set.\n* Changing the default value of `KEYSTONE_SECURITY_COMPLIANCE_ENABLED` from true to `false`.  -  I don\u0027t know the historical context for having this feature enabled in the devstack-base job, but we figured this was not likely to happen.\n\n\nWhen we discussed the current implementation, the Keystone team agreed that the options to fix any jobs we would potentially break would be fairly straightforward.  The job could either:\n\n* Update the passwords to conform to the default regex\n* Opt-out of Security Compliance by setting `KEYSTONE_SECURITY_COMPLIANCE_ENABLED\u003dfalse`\n\nI understand the concern about changing this default password though, as evidenced by the failures in the swift-dsvm-functional job, so please let me know your preference for iterating on this patch and continue to use the existing devstack flag for this feature.\n\nThank you.\n\n[1] https://docs.openstack.org/keystone/latest/admin/configuration.html#security-compliance-and-pci-dss\n\n[2] https://opendev.org/openstack/devstack/src/commit/3d013ef97f7b963a0ae2c2f0e713d5b476eee73d/lib/keystone#L100\n\n[3] https://opendev.org/openstack/tempest/src/commit/e7e3947694b4412a09c7d151c78a3fd47033adfc/tempest/config.py#L277-L280\n\n[4] https://opendev.org/openstack/devstack/src/commit/3d013ef97f7b963a0ae2c2f0e713d5b476eee73d/lib/tempest#L431-L433\n\n[5] https://opendev.org/openstack/keystone/src/commit/e066e18abf5dc9a061fe2fc479a851aa0b65c794/keystone/conf/security_compliance.py#L228-L242\n\n[6] https://opendev.org/openstack/keystone/src/commit/e066e18abf5dc9a061fe2fc479a851aa0b65c794/keystone/conf/security_compliance.py#L112-L121\n\n[7] https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-30-15.20.log.html#l-66\n\n[8] https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-08-06-15.04.log.html#l-48","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"4889e1a2c639b292be2aa1873f51455d37c16090","unresolved":true,"context_lines":[{"line_number":358,"context_line":"      devstack_localrc:"},{"line_number":359,"context_line":"        DATABASE_PASSWORD: secretdatabase"},{"line_number":360,"context_line":"        RABBIT_PASSWORD: secretrabbit"},{"line_number":361,"context_line":"        ADMIN_PASSWORD: secretadmin1"},{"line_number":362,"context_line":"        SERVICE_PASSWORD: secretservice1"},{"line_number":363,"context_line":"        NETWORK_GATEWAY: 10.1.0.1"},{"line_number":364,"context_line":"        FIXED_RANGE: 10.1.0.0/20"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"103f2676_90c94f17","line":361,"in_reply_to":"dd163248_313fc830","updated":"2025-08-15 12:20:13.000000000","message":"so the reaon i dont want to enable this by default is that like many other i have many exampel local.conf over the years wehre i set all password to `password`.\n\nif we start enforcing that regex by default it will break all of them and break every one else who has used devstack for years with the defautl that devstack uses.\n\nso the reaosn i wnat to keep this off by default is not about it beign a new feature or not\n\nits about not break everyone how uses devstack day to day by invlaidatin all there local.confs.\n\nin the ci jobs its totally ok ot enable this in the zuul.yaml if we really want to test with this by default but in devstack actually default when used locally i don\u0027t think we shoudl be changeling the default password or enabling this feature by default unless keystone is planning to change there default in a future release and eventully block simple password?\n\nif we want to have just one flag then i woudl suggest the follow.\nlet use a simple regex that does not require any default password changes to not break folks using this locally.\n\nthen in ci you can overried that with a more complex one and change the passwords there, that give you the ci coverage you want without impacting peopel day to day.\n\nthose that sound reaosnable?","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":34637,"name":"Milana Levy","email":"millevy@redhat.com","username":"millevy"},"change_message_id":"512af21889225cc7ee9133a65b0b05f08c5ee39f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a84be83b_9727821f","updated":"2025-07-30 08:49:58.000000000","message":"Looks good to me.","commit_id":"2c8ca56235be2572bd44025e5a69c3cf7b1f147b"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"9138bd7fcf8997a755ee6c1bebd74c66bb0f5ecb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"df855632_13e9251a","updated":"2025-07-30 16:25:14.000000000","message":"tempest test failed - this patch needs to be updated.","commit_id":"2c8ca56235be2572bd44025e5a69c3cf7b1f147b"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"00cc8c6be31f69db0549c8cfea439f72a9158641","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"952f830e_4027dfc6","updated":"2025-08-01 14:56:37.000000000","message":"recheck - timeout","commit_id":"824935f5313a151664efad077c6d93880e831ed2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d36ba67864222f17e4c5296fe23e9cf882116018","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"9d7bd47d_657c821b","updated":"2025-08-19 13:53:31.000000000","message":"@gmaan any guidance here?\n\nim not entirely against i just feel like it will annoy a lot of existing users if we change the default password or require them to disable the secuirty_complience checks to use them.","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a7e6effdd310cdf9100cd79d46e0132bd30e0489","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":10,"id":"4132d65a_4e8d4693","in_reply_to":"7db343c5_9fc1e4dd","updated":"2025-08-19 19:28:00.000000000","message":"I agree with Sean on not to change the existing passowrd/setup. I commented on another approach which is the right way to keep things same by default and let tempest job configure the way they want to test - https://review.opendev.org/c/openstack/devstack/+/957969","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"09181914126a527ae3cc283c3e551e685de6aab0","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":10,"id":"bc1c0165_1df03c05","in_reply_to":"7db343c5_9fc1e4dd","updated":"2025-08-19 19:37:49.000000000","message":"if that is soemthing other like i think that is a better approch as it will allow you to contineu to evolve it as need with a limited impact as you will have to opt into it via KEYSTONE_SECURITY_COMPLIANCE_ENABLED and fi you are setting that you should be aware fo the constraits it implies.","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"7d383b120f3fbe1dc5def3cf714b0bce95d15664","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":10,"id":"7db343c5_9fc1e4dd","in_reply_to":"9d7bd47d_657c821b","updated":"2025-08-19 18:39:36.000000000","message":"@smooney@redhat.com @gmann, I\u0027ve submitted an alternative approach for your consideration: https://review.opendev.org/c/openstack/devstack/+/957969\n\nIn that patch, the `KEYSTONE_SECURITY_COMPLIANCE_ENABLED` is changed to default to False, which fixes the issue of having to consider every single devstack deployment every time we add/change security compliance options and tests.  It also adds a new job that sets this flag to True and sets the appropriate passwords for only that job.","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"}],"doc/source/index.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"fdda4d29c2986ca122af5bb1d04556a24f977418","unresolved":true,"context_lines":[{"line_number":93,"context_line":".. code-block:: ini"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"   [[local|localrc]]"},{"line_number":96,"context_line":"   ADMIN_PASSWORD\u003dsecretadmin1"},{"line_number":97,"context_line":"   DATABASE_PASSWORD\u003d$ADMIN_PASSWORD"},{"line_number":98,"context_line":"   RABBIT_PASSWORD\u003d$ADMIN_PASSWORD"},{"line_number":99,"context_line":"   SERVICE_PASSWORD\u003d$ADMIN_PASSWORD"}],"source_content_type":"text/x-rst","patch_set":10,"id":"190bb5b7_da6fb481","line":96,"updated":"2025-08-13 18:22:46.000000000","message":"-1\n\nif we are changing it we shoudl set it to `password` but i dont think we shoudl be chanign the devstack default password for this fucntionality.","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"5286209d21f35913980b4bfda34f4d72e12f875c","unresolved":true,"context_lines":[{"line_number":93,"context_line":".. code-block:: ini"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"   [[local|localrc]]"},{"line_number":96,"context_line":"   ADMIN_PASSWORD\u003dsecretadmin1"},{"line_number":97,"context_line":"   DATABASE_PASSWORD\u003d$ADMIN_PASSWORD"},{"line_number":98,"context_line":"   RABBIT_PASSWORD\u003d$ADMIN_PASSWORD"},{"line_number":99,"context_line":"   SERVICE_PASSWORD\u003d$ADMIN_PASSWORD"}],"source_content_type":"text/x-rst","patch_set":10,"id":"bfecdf76_25f36443","line":96,"in_reply_to":"190bb5b7_da6fb481","updated":"2025-08-14 17:32:06.000000000","message":"This is just documentation, so it doesn\u0027t really affect anything.  The reason I changed it is because I wanted to show a password that would be valid with the default regex in this Patchset.  I can revert the change if you\u0027d rather keep this simple example.","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"}],"lib/keystone":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"fdda4d29c2986ca122af5bb1d04556a24f977418","unresolved":true,"context_lines":[{"line_number":108,"context_line":"# - one (1) digit"},{"line_number":109,"context_line":"# - minimum length of 7 characters"},{"line_number":110,"context_line":"KEYSTONE_PASSWORD_REGEX\u003d${KEYSTONE_PASSWORD_REGEX:-\u0027^(?\u003d.*\\d)(?\u003d.*[a-zA-Z]).{7,}$\u0027}"},{"line_number":111,"context_line":"KEYSTONE_PASSWORD_REGEX_MIN_LENGTH\u003d${KEYSTONE_PASSWORD_REGEX_MIN_LENGTH:-7}"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"# Number of bcrypt hashing rounds, increasing number exponentially increases required"},{"line_number":114,"context_line":"# resources to generate password hash. This is very effective way to protect from"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"9344039d_b0dc190a","line":111,"updated":"2025-08-13 18:22:46.000000000","message":"please add a boolean flag to enable this and disable it by default.\n\nKEYSTONE_ENFORCE_PASSWORD_REGEX\u003d${KEYSTONE_ENFORCE_PASSWORD_REGEX:-False}","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"5286209d21f35913980b4bfda34f4d72e12f875c","unresolved":true,"context_lines":[{"line_number":108,"context_line":"# - one (1) digit"},{"line_number":109,"context_line":"# - minimum length of 7 characters"},{"line_number":110,"context_line":"KEYSTONE_PASSWORD_REGEX\u003d${KEYSTONE_PASSWORD_REGEX:-\u0027^(?\u003d.*\\d)(?\u003d.*[a-zA-Z]).{7,}$\u0027}"},{"line_number":111,"context_line":"KEYSTONE_PASSWORD_REGEX_MIN_LENGTH\u003d${KEYSTONE_PASSWORD_REGEX_MIN_LENGTH:-7}"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"# Number of bcrypt hashing rounds, increasing number exponentially increases required"},{"line_number":114,"context_line":"# resources to generate password hash. This is very effective way to protect from"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"5d4cf438_17aa36f4","line":111,"in_reply_to":"9344039d_b0dc190a","updated":"2025-08-14 17:32:06.000000000","message":"I\u0027m addressing this in the comment in .zuul.yaml","commit_id":"1d7765a830737ee63f3041b007f2a84f0b047b3c"}]}