openstack/charm-keystone
Code Issues Proposed changes
Files
2b6b708fab93aebeb86a22d24d794298221a402e
charm-keystone/templates/ocata/keystone.conf
Alex Kavanagh e83cb05bf8 Implement Security Compiance option for password 
This feature adds a "password-security-compliance" option to the
charm to enable setting of keys in the "[security_compliance]" section
of the keystone.conf file.  This section was added in the Newton
release, and so this feature supports this from the Newton release.

It also protects the service accounts from two of the PCI-DSS options
but setting the user options 'ignore_password_expiry' and
'ignore_change_password_upon_first_use' to True to prevent the cloud
from being broken.

Change-Id: If7c54fae73188284bd9b03a53626cdf52158b994
Closes-Bug: #1776688
2020-02-05 18:10:12 +00:00

137 lines
3.0 KiB
Plaintext
Raw Blame History

# ocata
###############################################################################
# [ WARNING ]
# Configuration file maintained by Juju. Local changes may be overwritten.
###############################################################################
[DEFAULT]
admin_token = {{ token }}
use_syslog = {{ use_syslog }}
log_config_append = {{ log_config }}
debug = {{ debug }}
public_endpoint = {{ public_endpoint }}
admin_endpoint = {{ admin_endpoint }}
[database]
{% if database_host -%}
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
{% else -%}
connection = sqlite:////var/lib/keystone/keystone.db
{% endif -%}
connection_recycle_time = 200
[identity]
driver = {{ identity_backend }}
{% if default_domain_id -%}
default_domain_id = {{ default_domain_id }}
{% endif -%}
{% if api_version == 3 -%}
domain_specific_drivers_enabled = True
domain_config_dir = {{ domain_config_dir }}
{% endif -%}
[credential]
driver = sql
[trust]
driver = sql
[os_inherit]
[catalog]
driver = sql
[endpoint_filter]
[token]
{% if token_provider == 'fernet' -%}
provider = fernet
{% else -%}
driver = sql
provider = uuid
{% endif -%}
expiration = {{ token_expiration }}
{% if token_provider == 'fernet' -%}
[fernet_tokens]
max_active_keys = {{ fernet_max_active_keys }}
{% endif -%}
{% include "parts/section-signing" %}
{% include "section-oslo-cache" %}
[policy]
driver = sql
[assignment]
driver = {{ assignment_backend }}
[oauth1]
{% if middlewares -%}
{% include "parts/section-middleware" %}
{% else %}
[auth]
methods = external,password,token,oauth1,mapped,openid,totp
password = keystone.auth.plugins.password.Password
{% endif %}
[paste_deploy]
config_file = {{ paste_config_file }}
[extra_headers]
Distribution = Ubuntu
[ldap]
{% if identity_backend == 'ldap' -%}
url = {{ ldap_server }}
user = {{ ldap_user }}
password = {{ ldap_password }}
suffix = {{ ldap_suffix }}
{% if ldap_config_flags -%}
{% for key, value in ldap_config_flags.items() -%}
{{ key }} = {{ value }}
{% endfor -%}
{% endif -%}
{% if ldap_readonly -%}
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False
{% endif -%}
{% endif -%}
{% if api_version == 3 %}
[resource]
admin_project_domain_name = {{ admin_domain_name }}
admin_project_name = admin
{% endif -%}
{% if password_security_compliance %}
[security_compliance]
{% for k, v in password_security_compliance.items() -%}
{{ k }} = {{ v }}
{% endfor -%}
{% endif -%}
{% include "parts/section-federation" %}
{% include "section-oslo-middleware" %}
# This goes in the section above, selectively
# Bug #1819134
max_request_body_size = 114688
View Git Blame Copy Permalink