In the MCP OpenStack deployments, you can enable additional Keystone security compliance features independently of each other based on your corporate security policy. All available features apply only to the SQL back end for the Identity driver. By default, all security compliance features are disabled.
Note
This feature is available starting from the MCP 2019.2.4 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.
This section instructs you on how to enable the Keystone security compliance features on an existing MCP OpenStack deployment. For the new deployments, you can configure the compliance features during the Reclass deployment model creation through Model Designer.
Operation | Enable in Keystone for all SQL back-end users | Override settings for specific users |
---|---|---|
Force the user to change the password upon the first use |
|
ignore_change_password_upon_first_use: True |
Configure password expiration |
|
ignore_password_expiry: True |
Set an account lockout threshold |
|
ignore_lockout_failure_attempts: True |
Restrict the user from changing their password | N/A | lock_password: True |
Configure password strength requirements |
|
N/A |
Disable inactive users |
|
N/A |
Configure a unique password history |
|
N/A |
Warning
[1] | When enabled, it may affect all operations with Heat. Heat
creates its service users with its own regex, which is 32
characters long and contains uppercase and lowercase letters,
digits, and special characters such as ! , @ , # , % ,
^ , & and * . Therefore, not to affect the Heat
operations, verify that your custom value for this option allows
such generated passwords. Currently, you cannot override the
password regex enforcement in Keystone for a specific user. |
[2] | When enabled, it may affect autoscaling and other operations with Heat that require the deferred authentication. If you need to perform such operations in the Heat stack for the first time after deployment upon the defined termination period and the Heat service user created during the deployment has been inactive during this termination period, the Heat service user will be disabled and not able to authenticate. Currently, you cannot override this parameter in Keystone for a specific user. |
To enable the security compliance policies:
Log in to the Salt Master node.
Open your Git project repository with the Reclass model on the cluster level.
Open the openstack/control/init.yml
file for editing.
Configure the security compliance policies for the OpenStack service users as required.
For all OpenStack service users. For example:
parameters:
_param:
openstack_service_user_options:
ignore_change_password_upon_first_use: True
ignore_password_expiry: True
ignore_lockout_failure_attempts: False
lock_password: False
For specific OpenStack Queens and newer OpenStack releases service users. For example:
keystone:
client:
resources:
v3:
users:
cinder:
options:
ignore_change_password_upon_first_use: True
ignore_password_expiry: False
ignore_lockout_failure_attempts: False
lock_password: True
For specific OpenStack Pike and older OpenStack releases service users. For example:
keystone:
client:
server:
identity:
project:
service:
user:
cinder:
options:
ignore_change_password_upon_first_use: True
ignore_password_expiry: False
ignore_lockout_failure_attempts: False
lock_password: True
Enable the security compliance features on the Keystone server side by defining the related Keystone sever parameters as required.
Example configuration:
keystone:
server:
security_compliance:
disable_user_account_days_inactive: 90
lockout_failure_attempts: 5
lockout_duration: 600
password_expires_days: 90
unique_last_password_count: 10
minimum_password_age: 0
password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
change_password_upon_first_use: true
Apply the changes:
salt -C 'I@keystone:client' state.sls keystone.client
salt -C 'I@keystone:server' state.sls keystone.server