openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Add parameters to configure options in keystone's security_compliance group 

These parameters were introduced as strings and will only be configured
if the value is set. This way it respects the $::os_service_default
settings which is the default for all of them.

Depends-On: I089f2e28cce2688ed080096c88ab539393627cfb
Change-Id: I3399129c41054a914bb91417c814cd063ee0c07e
This commit is contained in:
Juan Antonio Osorio Robles 2018-01-04 14:39:55 +02:00
parent d05b39d149
commit cb875d327a
2 changed files with 123 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
puppet/services/keystone.yaml
View File

@ -220,6 +220,63 @@ parameters:
description: Driver or drivers to handle sending notifications.
constraints:
- allowed_values: [ 'messagingv2', 'noop' ]
KeystoneChangePasswordUponFirstUse:
type: string
default: ''
description: >-
Enabling this option requires users to change their password when the
user is created, or upon administrative reset.
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneDisableUserAccountDaysInactive:
type: string
default: ''
description: >-
The maximum number of days a user can go without authenticating before
being considered "inactive" and automatically disabled (locked).
KeystoneLockoutDuration:
type: string
default: ''
description: >-
The number of seconds a user account will be locked when the maximum
number of failed authentication attempts (as specified by
KeystoneLockoutFailureAttempts) is exceeded.
KeystoneLockoutFailureAttempts:
type: string
default: ''
description: >-
The maximum number of times that a user can fail to authenticate before
the user account is locked for the number of seconds specified by
KeystoneLockoutDuration.
KeystoneMinimumPasswordAge:
type: string
default: ''
description: >-
The number of days that a password must be used before the user can
change it. This prevents users from changing their passwords immediately
in order to wipe out their password history and reuse an old password.
KeystonePasswordExpiresDays:
type: string
default: ''
description: >-
The number of days for which a password will be considered valid before
requiring it to be changed.
KeystonePasswordRegex:
type: string
default: ''
description: >-
The regular expression used to validate password strength requirements.
KeystonePasswordRegexDescription:
type: string
default: ''
description: >-
Describe your password regular expression here in language for humans.
KeystoneUniqueLastPasswordCount:
type: string
default: ''
description: >-
This controls the number of previous user password iterations to keep in
history, in order to enforce that newly created passwords are unique.
parameter_groups:
- label: deprecated
@ -251,6 +308,17 @@ conditions:
keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
# Security compliance
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
outputs:
role_data:
description: Role data for the Keystone role.
@ -385,6 +453,51 @@ outputs:
tripleo::profile::base::keystone::ldap_backends_config:
get_param: KeystoneLDAPBackendConfigs
- {}
-
if:
- change_password_upon_first_use_set
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
- {}
-
if:
- disable_user_account_days_inactive_set
- keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
- {}
-
if:
- lockout_duration_set
- keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
- {}
-
if:
- lockout_failure_attempts_set
- keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
- {}
-
if:
- minimum_password_age_set
- keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
- {}
-
if:
- password_expires_days_set
- keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
- {}
-
if:
- password_regex_set
- keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
- {}
-
if:
- password_regex_description_set
- keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
- {}
-
if:
- unique_last_password_count_set
- keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
- {}
step_config: |
include ::tripleo::profile::base::keystone

10
releasenotes/notes/security-compliance-f4f7ae077b148af1.yaml Normal file
View File

@ -0,0 +1,10 @@
---
features:
- |
The parameters KeystoneChangePasswordUponFirstUse,
KeystoneDisableUserAccountDaysInactive, KeystoneLockoutDuration,
KeystoneLockoutFailureAttempts, KeystoneMinimumPasswordAge,
KeystonePasswordExpiresDays, KeystonePasswordRegex,
KeystonePasswordRegexDescription, KeystoneUniqueLastPasswordCount were
introduced. They all correspond to keystone configuration options that
belong to the security_compliance group.