Add lockout security compliance options for keystone
This change added support of two login fail lockout security
compliance options for keystone on Debian.
Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, keystone is running by systemd
PASS: controller unlock, keystone is running by SM
PASS: "openstack endpoint list" return correct list
PASS: check the following two security compliance options are
set correclty in /etc/keystone/keystone.conf:
lockout_duration=1800
lockout_failure_attempts=5
Test Plan for CentOS:
PASS: system bootstrap, keystone is running by systemd
PASS: controller unlock, keystone is running by SM
PASS: "openstack endpoint list" return correct list
PASS: check the following two security compliance options are
set correclty in /etc/keystone/keystone.conf:
lockout_duration=1800
lockout_failure_attempts=5
Story: 2009101
Task: 44785
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I09a65d070f1ed8e8aa65371f99f4aa722f671a1d
This commit is contained in:
Andy Ning
parent
df8ab84101
commit
e866d329d6
@ -0,0 +1,44 @@
|
||||
From 8cf5b37f70ade287cb5eaea7dd48d1eeb1ae737d Mon Sep 17 00:00:00 2001
|
||||
From: Andy Ning <andy.ning@windriver.com>
|
||||
Date: Mon, 14 Mar 2022 10:35:39 -0400
|
||||
Subject: [PATCH] Add login fail lockout security compliance options
|
||||
|
||||
Added two login fail lockout security compliance options:
|
||||
lockout_duration
|
||||
lockout_failure_attempts
|
||||
|
||||
Signed-off-by: Andy Ning <andy.ning@windriver.com>
|
||||
---
|
||||
debian/stx/password-rules.conf | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf
|
||||
index e7ce656..ac18ef9 100644
|
||||
--- a/debian/stx/password-rules.conf
|
||||
+++ b/debian/stx/password-rules.conf
|
||||
@@ -32,3 +32,22 @@ password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?
|
||||
# configuration variable will be returned to users to explain why their
|
||||
# requested password was insufficient. (string value)
|
||||
password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
|
||||
+
|
||||
+# The number of seconds a user account will be locked when the maximum number
|
||||
+# of failed authentication attempts (as specified by `[security_compliance]
|
||||
+# lockout_failure_attempts`) is exceeded. Setting this option will have no
|
||||
+# effect unless you also set `[security_compliance] lockout_failure_attempts`
|
||||
+# to a non-zero value. This feature depends on the `sql` backend for the
|
||||
+# `[identity] driver`. (integer value)
|
||||
+# Minimum value: 1
|
||||
+lockout_duration=1800
|
||||
+
|
||||
+# The maximum number of times that a user can fail to authenticate before the
|
||||
+# user account is locked for the number of seconds specified by
|
||||
+# `[security_compliance] lockout_duration`. This feature is disabled by
|
||||
+# default. If this feature is enabled and `[security_compliance]
|
||||
+# lockout_duration` is not set, then users may be locked out indefinitely
|
||||
+# until the user is explicitly enabled via the API. This feature depends on
|
||||
+# the `sql` backend for the `[identity] driver`. (integer value)
|
||||
+# Minimum value: 1
|
||||
+lockout_failure_attempts=5
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@ -1 +1,2 @@
|
||||
0001-Add-stx-support.patch
|
||||
0002-Add-login-fail-lockout-security-compliance-options.patch
|
||||
|
||||
Loading…
Reference in New Issue
Block a user