Unhardcoded [security_compliance] section.
Change-Id: I075e4b7171e037e656f0ee330dbfb1cb15836d2c
Related-PROD: PROD-26638
Related-PROD: PROD-27663
(cherry picked from commit acfa0301ca4e3ce10b0591273e802ce66e69c69e)
(cherry picked from commit 004f17bf81986802d1193187fb92f5f48edc926c)
diff --git a/README.rst b/README.rst
index 5a0fedf..a63393e 100644
--- a/README.rst
+++ b/README.rst
@@ -869,6 +869,31 @@
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
+Enable security compliance policies.
+-----------------------------------
+By default security compliance policies disabled. You are able to define follow params independency each other.
+
+Notice: To ignore `change_password_upon_first_use` requirement for specific users, such as service users,
+set the `options` attribute `ignore_change_password_upon_first_use`
+to `True` for the desired user via the update user API
+
+Notice: Symbol "$" should have escape character and looks like "$$".
+
+.. code-block:: yaml
+
+keystone:
+ server:
+ security_compliance:
+ disable_user_account_days_inactive: 90
+ lockout_failure_attempts: 5
+ lockout_duration: 600
+ password_expires_days: 90
+ unique_last_password_count: 10
+ minimum_password_age: 0
+ password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
+ password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
+ change_password_upon_first_use: true
+
Upgrades
========
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 8d22cf4..e176b99 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -2594,6 +2594,9 @@
# (integer value)
# Minimum value: 1
#disable_user_account_days_inactive = <None>
+{%- if server.security_compliance.disable_user_account_days_inactive is defined and server.get('backend', 'sql') == 'sql' %}
+disable_user_account_days_inactive = {{ server.security_compliance.disable_user_account_days_inactive }}
+{%- endif %}
# The maximum number of times that a user can fail to authenticate before the
# user account is locked for the number of seconds specified by
@@ -2604,6 +2607,9 @@
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
#lockout_failure_attempts = <None>
+{%- if server.security_compliance.lockout_failure_attempts is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_failure_attempts = {{ server.security_compliance.lockout_failure_attempts }}
+{%- endif %}
# The number of seconds a user account will be locked when the maximum number
# of failed authentication attempts (as specified by `[security_compliance]
@@ -2613,6 +2619,9 @@
# `[identity] driver`. (integer value)
# Minimum value: 1
#lockout_duration = 1800
+{%- if server.security_compliance.lockout_duration is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_duration = {{ server.security_compliance.lockout_duration }}
+{%- endif %}
# The number of days for which a password will be considered valid before
# requiring it to be changed. This feature is disabled by default. If enabled,
@@ -2621,12 +2630,18 @@
# `[identity] driver`. (integer value)
# Minimum value: 1
#password_expires_days = <None>
+{%- if server.security_compliance.password_expires_days is defined and server.get('backend', 'sql') == 'sql' %}
+password_expires_days = {{ server.security_compliance.password_expires_days }}
+{%- endif %}
# Comma separated list of user IDs to be ignored when checking if a password is
# expired. Passwords for users in this list will not expire. This feature will
# only be enabled if `[security_compliance] password_expires_days` is set.
# (list value)
#password_expires_ignore_user_ids =
+{%- if server.password_expires_ignore_user_ids is defined and server.password_expires_days is defined and server.get('backend', 'sql') == 'sql' %}
+password_expires_ignore_user_ids = {{ server.password_expires_ignore_user_ids }}
+{%- endif %}
# This controls the number of previous user password iterations to keep in
# history, in order to enforce that newly created passwords are unique. Setting
@@ -2635,6 +2650,9 @@
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
#unique_last_password_count = 1
+{%- if server.security_compliance.unique_last_password_count is defined and server.get('backend', 'sql') == 'sql' %}
+unique_last_password_count = {{ server.security_compliance.unique_last_password_count }}
+{%- endif %}
# The number of days that a password must be used before the user can change
# it. This prevents users from changing their passwords immediately in order to
@@ -2646,6 +2664,9 @@
# option should be less than the `password_expires_days`. (integer value)
# Minimum value: 0
#minimum_password_age = 0
+{%- if server.security_compliance.minimum_password_age is defined and server.get('backend', 'sql') == 'sql' %}
+minimum_password_age = {{ server.security_compliance.minimum_password_age }}
+{%- endif %}
# The regular expression used to validate password strength requirements. By
# default, the regular expression will match any password. The following is an
@@ -2653,13 +2674,18 @@
# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
# depends on the `sql` backend for the `[identity] driver`. (string value)
#password_regex = <None>
+{%- if server.security_compliance.password_regex is defined and server.get('backend', 'sql') == 'sql' %}
+password_regex = {{ server.security_compliance.password_regex }}
+{%- endif %}
# Describe your password regular expression here in language for humans. If a
# password fails to match the regular expression, the contents of this
# configuration variable will be returned to users to explain why their
# requested password was insufficient. (string value)
#password_regex_description = <None>
-
+{%- if server.security_compliance.password_regex_description is defined %}
+password_regex_description = {{ server.security_compliance.password_regex_description }}
+{%- endif %}
[shadow_users]
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index a2c50eb..55f9c7e 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -2805,6 +2805,9 @@
# (integer value)
# Minimum value: 1
#disable_user_account_days_inactive = <None>
+{%- if server.security_compliance.disable_user_account_days_inactive is defined and server.get('backend', 'sql') == 'sql' %}
+disable_user_account_days_inactive = {{ server.security_compliance.disable_user_account_days_inactive }}
+{%- endif %}
# The maximum number of times that a user can fail to authenticate before the
# user account is locked for the number of seconds specified by
@@ -2815,6 +2818,9 @@
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
#lockout_failure_attempts = <None>
+{%- if server.security_compliance.lockout_failure_attempts is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_failure_attempts = {{ server.security_compliance.lockout_failure_attempts }}
+{%- endif %}
# The number of seconds a user account will be locked when the maximum number
# of failed authentication attempts (as specified by `[security_compliance]
@@ -2824,6 +2830,9 @@
# `[identity] driver`. (integer value)
# Minimum value: 1
#lockout_duration = 1800
+{%- if server.security_compliance.lockout_duration is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_duration = {{ server.security_compliance.lockout_duration }}
+{%- endif %}
# The number of days for which a password will be considered valid before
# requiring it to be changed. This feature is disabled by default. If enabled,
@@ -2832,20 +2841,9 @@
# `[identity] driver`. (integer value)
# Minimum value: 1
#password_expires_days = <None>
-
-# DEPRECATED: Comma separated list of user IDs to be ignored when checking if a
-# password is expired. Passwords for users in this list will not expire. This
-# feature will only be enabled if `[security_compliance] password_expires_days`
-# is set. (list value)
-# This option is deprecated for removal since O.
-# Its value may be silently ignored in the future.
-# Reason: Functionality added as a per-user option "ignore_password_expiry" in
-# Ocata. Each user that should ignore password expiry should have the value set
-# to "true" in the user's `options` attribute (e.g.
-# `user['options']['ignore_password_expiry'] = True`) with an "update_user"
-# call. This avoids the need to restart keystone to adjust the users that
-# ignore password expiry. This option will be removed in the Pike release.
-#password_expires_ignore_user_ids =
+{%- if server.security_compliance.password_expires_days is defined and server.get('backend', 'sql') == 'sql' %}
+password_expires_days = {{ server.security_compliance.password_expires_days }}
+{%- endif %}
# This controls the number of previous user password iterations to keep in
# history, in order to enforce that newly created passwords are unique. Setting
@@ -2854,6 +2852,9 @@
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
#unique_last_password_count = 1
+{%- if server.security_compliance.unique_last_password_count is defined and server.get('backend', 'sql') == 'sql' %}
+unique_last_password_count = {{ server.security_compliance.unique_last_password_count }}
+{%- endif %}
# The number of days that a password must be used before the user can change
# it. This prevents users from changing their passwords immediately in order to
@@ -2865,6 +2866,9 @@
# option should be less than the `password_expires_days`. (integer value)
# Minimum value: 0
#minimum_password_age = 0
+{%- if server.security_compliance.minimum_password_age is defined and server.get('backend', 'sql') == 'sql' %}
+minimum_password_age = {{ server.security_compliance.minimum_password_age }}
+{%- endif %}
# The regular expression used to validate password strength requirements. By
# default, the regular expression will match any password. The following is an
@@ -2872,12 +2876,18 @@
# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
# depends on the `sql` backend for the `[identity] driver`. (string value)
#password_regex = <None>
+{%- if server.security_compliance.password_regex is defined and server.get('backend', 'sql') == 'sql' %}
+password_regex = {{ server.security_compliance.password_regex }}
+{%- endif %}
# Describe your password regular expression here in language for humans. If a
# password fails to match the regular expression, the contents of this
# configuration variable will be returned to users to explain why their
# requested password was insufficient. (string value)
#password_regex_description = <None>
+{%- if server.security_compliance.password_regex_description is defined %}
+password_regex_description = {{ server.security_compliance.password_regex_description }}
+{%- endif %}
# Enabling this option requires users to change their password when the user is
# created, or upon administrative reset. Before accessing any services,
@@ -2888,7 +2898,9 @@
# only applicable with the `sql` backend for the `[identity] driver`. (boolean
# value)
#change_password_upon_first_use = false
-
+{%- if server.security_compliance.change_password_upon_first_use is defined and server.get('backend', 'sql') == 'sql' %}
+change_password_upon_first_use = {{ server.security_compliance.change_password_upon_first_use }}
+{%- endif %}
[shadow_users]
diff --git a/keystone/files/pike/keystone.conf.Debian b/keystone/files/pike/keystone.conf.Debian
index 4f3ef6d..7707181 100644
--- a/keystone/files/pike/keystone.conf.Debian
+++ b/keystone/files/pike/keystone.conf.Debian
@@ -2822,6 +2822,9 @@
# (integer value)
# Minimum value: 1
#disable_user_account_days_inactive = <None>
+{%- if server.security_compliance.disable_user_account_days_inactive is defined and server.get('backend', 'sql') == 'sql' %}
+disable_user_account_days_inactive = {{ server.security_compliance.disable_user_account_days_inactive }}
+{%- endif %}
# The maximum number of times that a user can fail to authenticate before the
# user account is locked for the number of seconds specified by
@@ -2832,6 +2835,9 @@
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
#lockout_failure_attempts = <None>
+{%- if server.security_compliance.lockout_failure_attempts is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_failure_attempts = {{ server.security_compliance.lockout_failure_attempts }}
+{%- endif %}
# The number of seconds a user account will be locked when the maximum number
# of failed authentication attempts (as specified by `[security_compliance]
@@ -2841,6 +2847,9 @@
# `[identity] driver`. (integer value)
# Minimum value: 1
#lockout_duration = 1800
+{%- if server.security_compliance.lockout_duration is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_duration = {{ server.security_compliance.lockout_duration }}
+{%- endif %}
# The number of days for which a password will be considered valid before
# requiring it to be changed. This feature is disabled by default. If enabled,
@@ -2849,20 +2858,9 @@
# `[identity] driver`. (integer value)
# Minimum value: 1
#password_expires_days = <None>
-
-# DEPRECATED: Comma separated list of user IDs to be ignored when checking if a
-# password is expired. Passwords for users in this list will not expire. This
-# feature will only be enabled if `[security_compliance] password_expires_days`
-# is set. (list value)
-# This option is deprecated for removal since O.
-# Its value may be silently ignored in the future.
-# Reason: Functionality added as a per-user option "ignore_password_expiry" in
-# Ocata. Each user that should ignore password expiry should have the value set
-# to "true" in the user's `options` attribute (e.g.
-# `user['options']['ignore_password_expiry'] = True`) with an "update_user"
-# call. This avoids the need to restart keystone to adjust the users that
-# ignore password expiry. This option will be removed in the Pike release.
-#password_expires_ignore_user_ids =
+{%- if server.security_compliance.password_expires_days is defined and server.get('backend', 'sql') == 'sql' %}
+password_expires_days = {{ server.security_compliance.password_expires_days }}
+{%- endif %}
# This controls the number of previous user password iterations to keep in
# history, in order to enforce that newly created passwords are unique. Setting
@@ -2871,6 +2869,9 @@
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
#unique_last_password_count = 1
+{%- if server.security_compliance.unique_last_password_count is defined and server.get('backend', 'sql') == 'sql' %}
+unique_last_password_count = {{ server.security_compliance.unique_last_password_count }}
+{%- endif %}
# The number of days that a password must be used before the user can change
# it. This prevents users from changing their passwords immediately in order to
@@ -2882,6 +2883,9 @@
# option should be less than the `password_expires_days`. (integer value)
# Minimum value: 0
#minimum_password_age = 0
+{%- if server.security_compliance.minimum_password_age is defined and server.get('backend', 'sql') == 'sql' %}
+minimum_password_age = {{ server.security_compliance.minimum_password_age }}
+{%- endif %}
# The regular expression used to validate password strength requirements. By
# default, the regular expression will match any password. The following is an
@@ -2889,12 +2893,18 @@
# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
# depends on the `sql` backend for the `[identity] driver`. (string value)
#password_regex = <None>
+{%- if server.security_compliance.password_regex is defined and server.get('backend', 'sql') == 'sql' %}
+password_regex = {{ server.security_compliance.password_regex }}
+{%- endif %}
# Describe your password regular expression here in language for humans. If a
# password fails to match the regular expression, the contents of this
# configuration variable will be returned to users to explain why their
# requested password was insufficient. (string value)
#password_regex_description = <None>
+{%- if server.security_compliance.password_regex_description is defined %}
+password_regex_description = {{ server.security_compliance.password_regex_description }}
+{%- endif %}
# Enabling this option requires users to change their password when the user is
# created, or upon administrative reset. Before accessing any services,
@@ -2905,7 +2915,9 @@
# only applicable with the `sql` backend for the `[identity] driver`. (boolean
# value)
#change_password_upon_first_use = false
-
+{%- if server.security_compliance.change_password_upon_first_use is defined and server.get('backend', 'sql') == 'sql' %}
+change_password_upon_first_use = {{ server.security_compliance.change_password_upon_first_use }}
+{%- endif %}
[shadow_users]
diff --git a/keystone/files/queens/keystone.conf.Debian b/keystone/files/queens/keystone.conf.Debian
index c4d0c1b..03ef3c9 100644
--- a/keystone/files/queens/keystone.conf.Debian
+++ b/keystone/files/queens/keystone.conf.Debian
@@ -1399,6 +1399,9 @@
# user table. (integer value)
# Minimum value: 1
#disable_user_account_days_inactive = <None>
+{%- if server.security_compliance.disable_user_account_days_inactive is defined and server.get('backend', 'sql') == 'sql' %}
+disable_user_account_days_inactive = {{ server.security_compliance.disable_user_account_days_inactive }}
+{%- endif %}
# The maximum number of times that a user can fail to authenticate
# before the user account is locked for the number of seconds
@@ -1410,6 +1413,9 @@
# `[identity] driver`. (integer value)
# Minimum value: 1
#lockout_failure_attempts = <None>
+{%- if server.security_compliance.lockout_failure_attempts is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_failure_attempts = {{ server.security_compliance.lockout_failure_attempts }}
+{%- endif %}
# The number of seconds a user account will be locked when the maximum
# number of failed authentication attempts (as specified by
@@ -1420,6 +1426,9 @@
# driver`. (integer value)
# Minimum value: 1
#lockout_duration = 1800
+{%- if server.security_compliance.lockout_duration is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_duration = {{ server.security_compliance.lockout_duration }}
+{%- endif %}
# The number of days for which a password will be considered valid
# before requiring it to be changed. This feature is disabled by
@@ -1429,6 +1438,9 @@
# value)
# Minimum value: 1
#password_expires_days = <None>
+{%- if server.security_compliance.password_expires_days is defined and server.get('backend', 'sql') == 'sql' %}
+password_expires_days = {{ server.security_compliance.password_expires_days }}
+{%- endif %}
# This controls the number of previous user password iterations to
# keep in history, in order to enforce that newly created passwords
@@ -1439,6 +1451,9 @@
# for the `[identity] driver`. (integer value)
# Minimum value: 1
#unique_last_password_count = 1
+{%- if server.security_compliance.unique_last_password_count is defined and server.get('backend', 'sql') == 'sql' %}
+unique_last_password_count = {{ server.security_compliance.unique_last_password_count }}
+{%- endif %}
# The number of days that a password must be used before the user can
# change it. This prevents users from changing their passwords
@@ -1451,6 +1466,9 @@
# be less than the `password_expires_days`. (integer value)
# Minimum value: 0
#minimum_password_age = 0
+{%- if server.security_compliance.minimum_password_age is defined and server.get('backend', 'sql') == 'sql' %}
+minimum_password_age = {{ server.security_compliance.minimum_password_age }}
+{%- endif %}
# The regular expression used to validate password strength
# requirements. By default, the regular expression will match any
@@ -1459,6 +1477,9 @@
# ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature depends on the `sql`
# backend for the `[identity] driver`. (string value)
#password_regex = <None>
+{%- if server.security_compliance.password_regex is defined and server.get('backend', 'sql') == 'sql' %}
+password_regex = {{ server.security_compliance.password_regex }}
+{%- endif %}
# Describe your password regular expression here in language for
# humans. If a password fails to match the regular expression, the
@@ -1466,6 +1487,9 @@
# explain why their requested password was insufficient. (string
# value)
#password_regex_description = <None>
+{%- if server.security_compliance.password_regex_description is defined %}
+password_regex_description = {{ server.security_compliance.password_regex_description }}
+{%- endif %}
# Enabling this option requires users to change their password when
# the user is created, or upon administrative reset. Before accessing
@@ -1476,7 +1500,9 @@
# is disabled by default. This feature is only applicable with the
# `sql` backend for the `[identity] driver`. (boolean value)
#change_password_upon_first_use = false
-
+{%- if server.security_compliance.change_password_upon_first_use is defined and server.get('backend', 'sql') == 'sql' %}
+change_password_upon_first_use = {{ server.security_compliance.change_password_upon_first_use }}
+{%- endif %}
[shadow_users]
diff --git a/keystone/map.jinja b/keystone/map.jinja
index d97e1a5..cbf1f03 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -31,6 +31,7 @@
'notification': False,
'roles': ['admin', 'Member'],
'cacert': '/etc/ssl/certs/ca-certificates.crt',
+ 'security_compliance': {},
'logging': {
'app_name': 'keystone',
'log_appender': false,
@@ -56,6 +57,7 @@
'notification': False,
'roles': ['admin', 'Member'],
'cacert': '/etc/pki/tls/certs/ca-bundle.crt',
+ 'security_compliance': {},
'logging': {
'app_name': 'keystone',
'log_appender': false,
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 1290fc0..e90ae70 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -27,6 +27,16 @@
location: /etc/keystone/fernet-keys/
notification: false
notification_format: cadf
+ security_compliance:
+ disable_user_account_days_inactive: 90
+ lockout_failure_attempts: 5
+ lockout_duration: 600
+ password_expires_days: 90
+ unique_last_password_count: 10
+ minimum_password_age: 0
+ password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
+ password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
+ change_password_upon_first_use: True
logging:
log_appender: false
log_handlers:
diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index d52812d..0ea2a98 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -28,6 +28,16 @@
location: /etc/keystone/fernet-keys/
notification: false
notification_format: cadf
+ security_compliance:
+ disable_user_account_days_inactive: 90
+ lockout_failure_attempts: 5
+ lockout_duration: 600
+ password_expires_days: 90
+ unique_last_password_count: 10
+ minimum_password_age: 0
+ password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
+ password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
+ change_password_upon_first_use: True
logging:
log_appender: false
log_handlers: