On 25/08/2025 19:21, Sean Mooney wrote:
On 25/08/2025 17:12, Dmitriy Rabotyagov wrote:
Hey folks,
I wanted to raise awareness of operators regarding Keystone upgrade to Epoxy (2025.1), as found that existing release notes are slightly more vague about corner case definition.
During analysis, it appeared that a lot of users (and under "a lot" I mean 4 figures number) in my really old deployments (which were deployed during Newton), still in use passwords hashed with sha512_crypt which has been dropped in 2025.1 [1]. As this was referenced as a "corner case" in upgrade docs, it may not bring enough attention to this matter reading notes, while sha512_crypt removal is mentioned in "Other" section which I personally missed when analyzing upgrade requirements.
i am misting context but it this related to the remvoe of the crypt model in python 3.12/3.13
https://docs.python.org/3.12/library/crypt.html
So I would highly recommend to ensure that all your users are using supported hashing algorithms before the upgrade to Epoxy, and inform them to reset their passwords if they don't.
this proably shoudl have a equivlent of a nova-status check and or online data migration in keystone.
actully keystone cant provide tooling to do the migration of the sha. the only way for keyston to do this would be to wait for the user to auth and as a sideffect of thatt caluate a newer hash after they verify the users credentials keyston obviouly wont store the password in a retirivable way so it cant simply provide a tool to update it in place. it could only ever do that migration in responce to validating anth request to issue a new token. code to do that woudl have had to be implmented whewn teh algorthim was deprecated to provide a smooth upgrade without forcing a password reset.
You can list users who are using unsupported hashing algorithm using following MySQL query: SELECT distinct l_u.user_id FROM keystone.local_user AS l_u JOIN keystone.password AS hash ON l_u.id <http://l_u.id> = hash.local_user_id WHERE (hash.password_hash LIKE '$6$%' OR hash.password_hash LIKE '$5$%') AND hash.expires_at i s null;
Hope this helps somebody to save some time in the future.
[1] https://opendev.org/openstack/keystone/commit/4a4137d5f77ced3f4f011846fb9c28...
ok ya it was removed in because fo the removal in python 3.13 looking at the commit message.
that shoudl ahve had either migration toollign or an upgade note as you sadi as i assume this will requrie the admin to restet the password for older users.