Lockout ignore user list

This patch adds a way for operators to ignore the lockout validation for
specific users, such as service users.

Closes-Bug: #1642348
Change-Id: I9d48578bc6b4f84acbaaa4251b59ffef10d58d8e

keystone/identity/backends/sql.py

@@ -83,6 +83,8 @@ class Identity(base.IdentityDriverBase):
         :returns Boolean: True if the account is locked; False otherwise
 
         """
+        if user_id in CONF.security_compliance.lockout_ignored_user_ids:
+            return False
         attempts = user_ref.local_user.failed_auth_count or 0
         max_attempts = CONF.security_compliance.lockout_failure_attempts
         lockout_duration = CONF.security_compliance.lockout_duration