docs/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst
Elisamara Aoki Goncalves 495c9e9427 Platform keystone password rule configuration
Applied minor fixes

Applied editorial fixes

Story: 200984
Task: 43720

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I80b0996b7d19c61630542ccd3b1316967d74366c
2021-11-23 10:28:19 -03:00

9.4 KiB

Keystone Security Compliance Configuration

You can configure custom password rules for keystone security compliance.

  1. Use the following parameters to set the rules for keystone security compliance.

    system service-parameter-add identity security_compliance unique_last_password_count
    system service-parameter-add identity security_compliance password_regex
    system service-parameter-add identity security_compliance password_regex_description
  2. In order for the changes to take effect, apply the new configuration with the command:

    system service-parameter-apply identity

    For security reasons these parameters are validated:

    • unique_last_password_count must be an integer equal or greater than zero.
    • password_regex must be a valid regex conforming to the Python Regular Expression (RE) syntax: https://docs.python.org/3/library/re.html.
    • password_regex_description must be a non empty string.

    Note

    The password_regex_description will be used by keystone as part of the error message when the user tries a password that does not conform to the rules. Make sure to have an explanatory description.

    For example:

    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance unique_last_password_count=7
    +-------------+--------------------------------------+
    | Property    | Value                                |
    +-------------+--------------------------------------+
    | uuid        | 27e18c80-e8be-47ce-9b24-f21136682de6 |
    | service     | identity                             |
    | section     | security_compliance                  |
    | name        | unique_last_password_count           |
    | value       | 7                                    |
    | personality | None                                 |
    | resource    | None                                 |
    +-------------+--------------------------------------+
    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_regex='^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$'
    +-------------+---------------------------------------------------------------------------------+
    | Property    | Value                                                                           |
    +-------------+---------------------------------------------------------------------------------+
    | uuid        | bab59259-4463-4bce-a6ed-e7b2dcfeb2ac                                            |
    | service     | identity                                                                        |
    | section     | security_compliance                                                             |
    | name        | password_regex                                                                  |
    | value       | ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$ |
    | personality | None                                                                            |
    | resource    | None                                                                            |
    +-------------+---------------------------------------------------------------------------------+
    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-modify identity security_compliance password_regex_description='Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character'
    +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+
    | Property    | Value                                                                                                                                        |
    +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+
    | uuid        | 83ae409e-d5b5-4465-b71b-f29b81bdcb67                                                                                                         |
    | service     | identity                                                                                                                                     |
    | section     | security_compliance                                                                                                                          |
    | name        | password_regex_description                                                                                                                   |
    | value       | Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character |
    | personality | None                                                                                                                                         |
    | resource    | None                                                                                                                                         |
    +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+
    [sysadmin@controller-0 ~(keystone_admin)]$
    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-apply identity
    Applying platform service parameters
  3. The system service-parameter-apply command will apply the configuration to /etc/keystone/keystone.conf and restart the keystone service.

    To see the exact moment keystone is restarted, check the sm-customer.log:

    [sysadmin@controller-0 ~(keystone_admin)]$ date
    Wed Oct 20 02:03:12 UTC 2021
    [sysadmin@controller-0 ~(keystone_admin)]$ # let's check that keystone is being restarted
    [sysadmin@controller-0 ~(keystone_admin)]$ tailf -n 5 /var/log/sm-customer.log
    | 2021-10-20T02:02:42.109 |        398 | service-scn          | vim                              | enabling-throttle                | enabling                         | throttle open to enable service
    | 2021-10-20T02:02:42.110 |        399 | service-scn          | cert-mon                         | enabling                         | enabled-active                   | enable success
    | 2021-10-20T02:02:42.141 |        400 | service-scn          | hw-mon                           | enabling-throttle                | enabling                         | throttle open to enable service
    | 2021-10-20T02:02:42.480 |        401 | service-scn          | vim                              | enabling                         | enabled-active                   | enable success
    | 2021-10-20T02:02:43.584 |        402 | service-scn          | hw-mon                           | enabling                         | enabled-active                   | enable success
    | 2021-10-20T02:04:19.289 |        403 | service-scn          | keystone                         | enabled-active                   | disabling                        | restart safe requested
    | 2021-10-20T02:04:20.512 |        404 | service-scn          | keystone                         | disabling                        | disabled                         | disable success
    | 2021-10-20T02:04:20.980 |        405 | service-scn          | keystone                         | disabled                         | enabling-throttle                | enabled-active state requested
    | 2021-10-20T02:04:21.007 |        406 | service-scn          | keystone                         | enabling-throttle                | enabling                         | throttle open to enable service
    | 2021-10-20T02:04:22.431 |        407 | service-scn          | keystone                         | enabling                         | enabled-active                   | enable success
  4. Search for keystone.conf to see the new rules being persisted.

    [sysadmin@controller-1 ~(keystone_admin)]$ sudo grep "unique_last_password_count\|password_regex" /etc/keystone/keystone.conf
    #unique_last_password_count = 0
    unique_last_password_count = 7
    #password_regex = <None>
    password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$
    #password_regex_description = <None>
    password_regex_description = 20 characters minimum, must have numbers and special characters
  5. After that, the new rules are already in place, and they can be used.

    [sysadmin@controller-1 ~(keystone_admin)]$ openstack user password set
    Current Password:
    New Password:
    Repeat New Password:
    The password does not match the requirements: 20 characters minimum, must have numbers and special characters. (HTTP 400) (Request-ID: req-3aa0f2f9-eef8-4f28-8e3c-ae4a7eaf1d29)