Bug 1041891

Summary: [RFE][keystone]: Inadequate Account Lockout in Keystone
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/lock-user
Whiteboard: upstream_milestone_none upstream_status_not-started upstream_definition_obsolete
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 16:52:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 19:55:15 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/lock-user.

Description:

It is currently not possible to define an account Lockout policy in Openstack/Keystone to lock a user account after a given number of failed login attempts. So this blueprint is to add a configurable policy to lock a user account after a given number of failed login attempts.

Details:
Keystone's SQL Identity backend must support locking out accounts after 
some number of invalid login attempts. This is a common feature among 
authentication systems and is a common requirement among deployers.

Currently, users (or exploiters) can attempt to authenticate to Keystone 
as often as they want with invalid passwords. This is a security problem 
because it allows an attacker to use a dictionary of passwords if they 
know (or can guess) a username.

Keystone should be configurable so that it rejects any authentication 
attempts for a user after some number of invalid login attempts.
Keystone should be configurable so that lockouts do not happen.
The number of invalid login attempts must be configurable.
There needs to be some way to unlock an account that's locked.
There needs to be some way to tell if a user's account is locked or not.
There should be a way to list all locked users.
There should be a way to reset the number of attempts for a user.
Keystone must not provide information to an attacker that the account is 
locked or not.
Account lockouts must work when there are multiple Keystone servers (as 
in, use the common DB).

Specification URL (additional information):

None