Enable Keystone security compliance policies

Enable Keystone security compliance policies

In the MCP OpenStack deployments, you can enable additional Keystone security compliance features independently of each other based on your corporate security policy. All available features apply only to the SQL back end for the Identity driver. By default, all security compliance features are disabled.

Note

This feature is available starting from the MCP 2019.2.4 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.

This section instructs you on how to enable the Keystone security compliance features on an existing MCP OpenStack deployment. For the new deployments, you can configure the compliance features during the Reclass deployment model creation through Model Designer.

Keystone security compliance parameters

Operation

Enable in Keystone for all SQL back-end users

Override settings for specific users

Force the user to change the password upon the first use

change_password_upon_first_use: True

Forces the user to change their password upon the first use

ignore_change_password_upon_first_use: True

Configure password expiration

password_expires_days: <NUM>

Sets the number of days after which the password would expire

ignore_password_expiry: True

Set an account lockout threshold

lockout_failure_attempts: <NUM>

Sets the maximum number of failed authentication attempts

lockout_duration: <NUM>

Sets the number of minutes (in seconds) after which a user would be locked out

ignore_lockout_failure_attempts: True

Restrict the user from changing their password

N/A

lock_password: True

Configure password strength requirements

password_regex: <STRING> 1

Sets the strength requirements for the passwords

password_regex_description: <STRING>

Provides the text that describes the password strength requirements. Required if the password_regex is set.

N/A

Disable inactive users

disable_user_account_days_inactive: <NUM> 2

Sets the number of days after which the user would be disabled

N/A

Configure a unique password history

unique_last_password_count: <NUM>

Sets the number of passwords for a user that must be unique before an old password can be reused

minimum_password_age: <NUM>

Sets the number of days for the password to be used before the user can change it

N/A

Warning

1

When enabled, it may affect all operations with Heat. Heat creates its service users with its own regex, which is 32 characters long and contains uppercase and lowercase letters, digits, and special characters such as !, @, #, %, ^, & and *. Therefore, not to affect the Heat operations, verify that your custom value for this option allows such generated passwords. Currently, you cannot override the password regex enforcement in Keystone for a specific user.

2

When enabled, it may affect autoscaling and other operations with Heat that require the deferred authentication. If you need to perform such operations in the Heat stack for the first time after deployment upon the defined termination period and the Heat service user created during the deployment has been inactive during this termination period, the Heat service user will be disabled and not able to authenticate. Currently, you cannot override this parameter in Keystone for a specific user.

To enable the security compliance policies:

  1. Log in to the Salt Master node.

  2. Open your Git project repository with the Reclass model on the cluster level.

  3. Open the openstack/control/init.yml file for editing.

  4. Configure the security compliance policies for the OpenStack service users as required.

    • For all OpenStack service users. For example:

      parameters:
        _param:
          openstack_service_user_options:
            ignore_change_password_upon_first_use: True
            ignore_password_expiry: True
            ignore_lockout_failure_attempts: False
            lock_password: False
      
    • For specific OpenStack Queens and newer OpenStack releases service users. For example:

      keystone:
          client:
            resources:
              v3:
                users:
                  cinder:
                    options:
                      ignore_change_password_upon_first_use: True
                      ignore_password_expiry: False
                      ignore_lockout_failure_attempts: False
                      lock_password: True
      
    • For specific OpenStack Pike and older OpenStack releases service users. For example:

      keystone:
         client:
           server:
             identity:
               project:
                 service:
                   user:
                     cinder:
                       options:
                         ignore_change_password_upon_first_use: True
                         ignore_password_expiry: False
                         ignore_lockout_failure_attempts: False
                         lock_password: True
      
  5. Enable the security compliance features on the Keystone server side by defining the related Keystone sever parameters as required.

    Example configuration:

    keystone:
      server:
        security_compliance:
          disable_user_account_days_inactive: 90
          lockout_failure_attempts: 5
          lockout_duration: 600
          password_expires_days: 90
          unique_last_password_count: 10
          minimum_password_age: 0
          password_regex: '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$$'
          password_regex_description: 'Your password must contains at least 1 letter, 1 digit, and have a minimum length of 7 characters'
          change_password_upon_first_use: true
    
  6. Apply the changes:

    salt -C 'I@keystone:client' state.sls keystone.client
    salt -C 'I@keystone:server' state.sls keystone.server