Enable Keystone security compliance policies

Enable Keystone security compliance policies

In the MCP OpenStack deployments, you can enable additional Keystone security compliance features independently of each other based on your corporate security policy. All available features apply only to the SQL back end for the Identity driver. By default, all security compliance features are disabled.

Note

This feature is available starting from the MCP 2019.2.4 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.

This section instructs you on how to enable the Keystone security compliance features on an existing MCP OpenStack deployment. For the new deployments, you can configure the compliance features during the Reclass deployment model creation through Model Designer.

Keystone security compliance parameters
Operation Enable in Keystone for all SQL back-end users Override settings for specific users
Force the user to change the password upon the first use
change_password_upon_first_use: True
Forces the user to change their password upon the first use
ignore_change_password_upon_first_use: True
Configure password expiration
password_expires_days: <NUM>
Sets the number of days after which the password would expire
ignore_password_expiry: True
Set an account lockout threshold
lockout_failure_attempts: <NUM>
Sets the maximum number of failed authentication attempts
lockout_duration: <NUM>
Sets the number of minutes (in seconds) after which a user would be locked out
ignore_lockout_failure_attempts: True
Restrict the user from changing their password N/A lock_password: True
Configure password strength requirements
password_regex: <STRING> [1]
Sets the strength requirements for the passwords
password_regex_description: <STRING>
Provides the text that describes the password strength requirements. Required if the password_regex is set.
N/A
Disable inactive users
disable_user_account_days_inactive: <NUM> [2]
Sets the number of days after which the user would be disabled
N/A
Configure a unique password history
unique_last_password_count: <NUM>
Sets the number of passwords for a user that must be unique before an old password can be reused
minimum_password_age: <NUM>
Sets the number of days for the password to be used before the user can change it
N/A

Warning

[1]When enabled, it may affect all operations with Heat. Heat creates its service users with its own regex, which is 32 characters long and contains uppercase and lowercase letters, digits, and special characters such as !, @, #, %, ^, & and *. Therefore, not to affect the Heat operations, verify that your custom value for this option allows such generated passwords. Currently, you cannot override the password regex enforcement in Keystone for a specific user.
[2]When enabled, it may affect autoscaling and other operations with Heat that require the deferred authentication. If you need to perform such operations in the Heat stack for the first time after deployment upon the defined termination period and the Heat service user created during the deployment has been inactive during this termination period, the Heat service user will be disabled and not able to authenticate. Currently, you cannot override this parameter in Keystone for a specific user.

To enable the security compliance policies:

  1. Log in to the Salt Master node.

  2. Open your Git project repository with the Reclass model on the cluster level.

  3. Open the openstack/control/init.yml file for editing.

  4. Configure the security compliance policies for the OpenStack service users as required.

    • For all OpenStack service users. For example:

      parameters:
        _param:
          openstack_service_user_options:
            ignore_change_password_upon_first_use: True
            ignore_password_expiry: True
            ignore_lockout_failure_attempts: False
            lock_password: False
      
    • For specific OpenStack Queens and newer OpenStack releases service users. For example:

      keystone:
          client:
            resources:
              v3:
                users:
                  cinder:
                    options:
                      ignore_change_password_upon_first_use: True
                      ignore_password_expiry: False
                      ignore_lockout_failure_attempts: False
                      lock_password: True
      
    • For specific OpenStack Pike and older OpenStack releases service users. For example:

      keystone:
         client:
           server:
             identity:
               project:
                 service:
                   user:
                     cinder:
                       options:
                         ignore_change_password_upon_first_use: True
                         ignore_password_expiry: False
                         ignore_lockout_failure_attempts: False
                         lock_password: True
      
  5. Enable the security compliance features on the Keystone server side by defining the related Keystone sever parameters as required.

    Example configuration:

    keystone:
      server:
        security_compliance:
          disable_user_account_days_inactive: 90
          lockout_failure_attempts: 5
          lockout_duration: 600
          password_expires_days: 90
          unique_last_password_count: 10
          minimum_password_age: 0
          password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
          password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
          change_password_upon_first_use: true
    
  6. Apply the changes:

    salt -C 'I@keystone:client' state.sls keystone.client
    salt -C 'I@keystone:server' state.sls keystone.server