openstack/puppet-keystone
Code Issues Proposed changes
3c95205e02
puppet-keystone/manifests/security_compliance.pp
Juan Antonio Osorio Robles d8b88f023a Add security_compliance manifest 
This sets up the parameters in keystone.conf that belong in the
security_compliance group.

Change-Id: Ic4d962910343ad30de7840124bbc7773ea3697a1
2018-01-04 09:28:35 +02:00

85 lines
3.8 KiB
Puppet
Raw Blame History

# == class: keystone::security_compliance
#
# Security compliance features for keystone, specifically to satisfy
# Payment Card Industry - Data Security Standard (PCI-DSS) v3.1 requirements.
#
# === parameters:
#
# [*change_password_upon_first_use*]
# Enabling this option requires users to change their password when the user
# is created, or upon administrative reset. (Boolean value)
# Defaults to $::os_service_default
#
# [*disable_user_account_days_inactive*]
# The maximum number of days a user can go without authenticating before
# being considered "inactive" and automatically disabled (locked). (Integer
# value)
# Defaults to $::os_service_default
#
# [*lockout_duration*]
# The number of seconds a user account will be locked when the maximum number
# of failed authentication attempts (as specified by `[security_compliance]
# lockout_failure_attempts`) is exceeded. (Integer value)
# Defaults to $::os_service_default
#
# [*lockout_failure_attempts*]
# The maximum number of times that a user can fail to authenticate before the
# user account is locked for the number of seconds specified by
# `[security_compliance] lockout_duration`. (Integer value)
# Defaults to $::os_service_default
#
# [*minimum_password_age*]
# The number of days that a password must be used before the user can change
# it. This prevents users from changing their passwords immediately in order
# to wipe out their password history and reuse an old password. (Integer
# value)
# Defaults to $::os_service_default
#
# [*password_expires_days*]
# The number of days for which a password will be considered valid before
# requiring it to be changed. (Integer value)
# Defaults to $::os_service_default
#
# [*password_regex*]
# The regular expression used to validate password strength requirements. By
# default, the regular expression will match any password. (String value)
# Defaults to $::os_service_default
#
# [*password_regex_description*]
# Describe your password regular expression here in language for humans.
# (String value)
# Defaults to $::os_service_default
#
# [*unique_last_password_count*]
# This controls the number of previous user password iterations to keep in
# history, in order to enforce that newly created passwords are unique.
# (Integer value)
# Defaults to $::os_service_default
#
class keystone::security_compliance(
$change_password_upon_first_use = $::os_service_default,
$disable_user_account_days_inactive = $::os_service_default,
$lockout_duration = $::os_service_default,
$lockout_failure_attempts = $::os_service_default,
$minimum_password_age = $::os_service_default,
$password_expires_days = $::os_service_default,
$password_regex = $::os_service_default,
$password_regex_description = $::os_service_default,
$unique_last_password_count = $::os_service_default,
) {
include ::keystone::deps
keystone_config {
'security_compliance/change_password_upon_first_use': value => $change_password_upon_first_use;
'security_compliance/disable_user_account_days_inactive': value => $disable_user_account_days_inactive;
'security_compliance/lockout_duration': value => $lockout_duration;
'security_compliance/lockout_failure_attempts': value => $lockout_failure_attempts;
'security_compliance/minimum_password_age': value => $minimum_password_age;
'security_compliance/password_expires_days': value => $password_expires_days;
'security_compliance/password_regex': value => $password_regex;
'security_compliance/password_regex_description': value => $password_regex_description;
'security_compliance/unique_last_password_count': value => $unique_last_password_count;
}
}
View Git Blame Copy Permalink