Add info for configuring Keystone's security compliance settings

These were added recently [1], and documentation was needed.

[1] I3399129c41054a914bb91417c814cd063ee0c07e

Change-Id: Ib586cd1c8a522116364894b1a1e9703e66cad257
This commit is contained in:
Juan Antonio Osorio Robles 2018-01-31 08:36:57 +02:00
parent dd0ccf847a
commit bb61cc7001
2 changed files with 51 additions and 0 deletions

View File

@ -18,6 +18,7 @@ Documentation on how to enable and configure various features available in
baremetal_overcloud baremetal_overcloud
ovs_dpdk_config ovs_dpdk_config
deployed_server deployed_server
keystone_security_compliance
security_hardening security_hardening
api_policies api_policies
disable_telemetry disable_telemetry

View File

@ -0,0 +1,50 @@
Keystone Security Compliance
============================
Keystone has several configuration options available in order to comply with
standards such as Payment Card Industry - Data Security Standard (PCI-DSS)
v3.1.
TripleO exposes these features via Heat parameters. They will be listed below:
* ``KeystoneChangePasswordUponFirstUse``: Enabling this option requires users
to change their password when the user is created, or upon administrative
reset.
* ``KeystoneDisableUserAccountDaysInactive``: The maximum number of days a user
can go without authenticating before being considered "inactive" and
automatically disabled (locked).
* ``KeystoneLockoutDuration``: The number of seconds a user account will be
locked when the maximum number of failed authentication attempts (as
specified by ``KeystoneLockoutFailureAttempts``) is exceeded.
* ``KeystoneLockoutFailureAttempts``: The maximum number of times that a user
can fail to authenticate before the user account is locked for the number of
seconds specified by ``KeystoneLockoutDuration``.
* ``KeystoneMinimumPasswordAge``: The number of days that a password must be
used before the user can change it. This prevents users from changing their
passwords immediately in order to wipe out their password history and reuse
an old password.
* ``KeystonePasswordExpiresDays``: The number of days for which a password will
be considered valid before requiring it to be changed.
* ``KeystonePasswordRegex``: The regular expression used to validate password
strength requirements.
* ``KeystonePasswordRegexDescription``: Describe your password regular
expression here in language for humans.
* ``KeystoneUniqueLastPasswordCount``: This controls the number of previous
user password iterations to keep in history, in order to enforce that newly
created passwords are unique.
.. note:: All of the aforementioned options only apply to the SQL backend. For
other identity backends like LDAP, these configuration settings
should be applied on that backend's side.
.. note:: All of these parameters are defined as type ``string`` in heat. As
per the implementation, if left unset, they will not be configured at
all in the keystone configuration.