Make KeystoneChangePasswordUponFirstUse boolean

... because this parameter is used to configure the boolean value in
Keystone. The actual parameter in Keystone defaults to false so is not
needed by default.

Change-Id: I1f2d0ef077e9b10299d4f1966139b590de880db9
This commit is contained in:
Takashi Kajinami 2022-06-24 00:56:21 +09:00
parent 8cb7c81d20
commit 2188b4ff94
2 changed files with 9 additions and 7 deletions

View File

@ -243,13 +243,11 @@ parameters:
Cron to purge expired or soft-deleted trusts - User
default: 'keystone'
KeystoneChangePasswordUponFirstUse:
type: string
default: ''
type: boolean
default: false
description: >-
Enabling this option requires users to change their password when the
user is created, or upon administrative reset.
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneDisableUserAccountDaysInactive:
type: string
default: ''
@ -477,7 +475,6 @@ conditions:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
# Security compliance
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
@ -663,8 +660,8 @@ outputs:
- keystone::policy::enforce_scope: true
keystone::policy::enforce_new_defaults: true
- if:
- change_password_upon_first_use_set
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
- {get_param: KeystoneChangePasswordUponFirstUse}
- keystone::security_compliance::change_password_upon_first_use: true
- if:
- disable_user_account_days_inactive_set
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}

View File

@ -0,0 +1,5 @@
---
upgrade:
- |
The ``KeystoneChangePasswordUponFirstUse`` parameter is now enforced to
be a boolean value.