commit acfa0301ca4e3ce10b0591273e802ce66e69c69e
author sgarbuz <sgarbuz@mirantis.com> Thu Mar 21 12:23:49 2019 +0200
committer sgarbuz <sgarbuz@mirantis.com> Thu Mar 21 14:17:50 2019 +0000
tree 1f7077cd7ff5a90397e9afcdfccd381540681d20
parent a0b79e20af97a54a24e64724d3a3feb81ef28791

Unhardcode [security_compliance] section in newton

Change-Id: Id16c6fb842bb000b09578cfb09c1a537d78e5a4e
Related-Prod: PROD-27663 (PROD:27663)
Related-Prod: PROD-28125 (PROD:28125)
Related-Prod: PROD-26638 (PROD:26638)

keystone/files/newton/keystone.conf.Debian

diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 8d22cf4..e176b99 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -2594,6 +2594,9 @@
 # (integer value)
 # Minimum value: 1
 #disable_user_account_days_inactive = <None>
+{%- if server.security_compliance.disable_user_account_days_inactive is defined and server.get('backend', 'sql') == 'sql' %}
+disable_user_account_days_inactive = {{ server.security_compliance.disable_user_account_days_inactive }}
+{%- endif %}
 
 # The maximum number of times that a user can fail to authenticate before the
 # user account is locked for the number of seconds specified by
@@ -2604,6 +2607,9 @@
 # backend for the `[identity] driver`. (integer value)
 # Minimum value: 1
 #lockout_failure_attempts = <None>
+{%- if server.security_compliance.lockout_failure_attempts is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_failure_attempts = {{ server.security_compliance.lockout_failure_attempts }}
+{%- endif %}
 
 # The number of seconds a user account will be locked when the maximum number
 # of failed authentication attempts (as specified by `[security_compliance]
@@ -2613,6 +2619,9 @@
 # `[identity] driver`. (integer value)
 # Minimum value: 1
 #lockout_duration = 1800
+{%- if server.security_compliance.lockout_duration is defined and server.get('backend', 'sql') == 'sql' %}
+lockout_duration = {{ server.security_compliance.lockout_duration }}
+{%- endif %}
 
 # The number of days for which a password will be considered valid before
 # requiring it to be changed. This feature is disabled by default. If enabled,
@@ -2621,12 +2630,18 @@
 # `[identity] driver`. (integer value)
 # Minimum value: 1
 #password_expires_days = <None>
+{%- if server.security_compliance.password_expires_days is defined and server.get('backend', 'sql') == 'sql' %}
+password_expires_days = {{ server.security_compliance.password_expires_days }}
+{%- endif %}
 
 # Comma separated list of user IDs to be ignored when checking if a password is
 # expired. Passwords for users in this list will not expire. This feature will
 # only be enabled if `[security_compliance] password_expires_days` is set.
 # (list value)
 #password_expires_ignore_user_ids =
+{%- if server.password_expires_ignore_user_ids is defined and server.password_expires_days is defined and server.get('backend', 'sql') == 'sql' %}
+password_expires_ignore_user_ids = {{ server.password_expires_ignore_user_ids }}
+{%- endif %}
 
 # This controls the number of previous user password iterations to keep in
 # history, in order to enforce that newly created passwords are unique. Setting
@@ -2635,6 +2650,9 @@
 # backend for the `[identity] driver`. (integer value)
 # Minimum value: 1
 #unique_last_password_count = 1
+{%- if server.security_compliance.unique_last_password_count is defined and server.get('backend', 'sql') == 'sql' %}
+unique_last_password_count = {{ server.security_compliance.unique_last_password_count }}
+{%- endif %}
 
 # The number of days that a password must be used before the user can change
 # it. This prevents users from changing their passwords immediately in order to
@@ -2646,6 +2664,9 @@
 # option should be less than the `password_expires_days`. (integer value)
 # Minimum value: 0
 #minimum_password_age = 0
+{%- if server.security_compliance.minimum_password_age is defined and server.get('backend', 'sql') == 'sql' %}
+minimum_password_age = {{ server.security_compliance.minimum_password_age }}
+{%- endif %}
 
 # The regular expression used to validate password strength requirements. By
 # default, the regular expression will match any password. The following is an
@@ -2653,13 +2674,18 @@
 # minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
 # depends on the `sql` backend for the `[identity] driver`. (string value)
 #password_regex = <None>
+{%- if server.security_compliance.password_regex is defined and server.get('backend', 'sql') == 'sql' %}
+password_regex = {{ server.security_compliance.password_regex }}
+{%- endif %}
 
 # Describe your password regular expression here in language for humans. If a
 # password fails to match the regular expression, the contents of this
 # configuration variable will be returned to users to explain why their
 # requested password was insufficient. (string value)
 #password_regex_description = <None>
-
+{%- if server.security_compliance.password_regex_description is defined %}
+password_regex_description = {{ server.security_compliance.password_regex_description }}
+{%- endif %}
 
 [shadow_users]