Bug 1530732
| Summary: | Keystone's security_compliance options are not configurable through director | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Juan Antonio Osorio <josorior> |
| Component: | puppet-keystone | Assignee: | RHOS Maint <rhos-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Prasanth Anbalagan <panbalag> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 13.0 (Queens) | CC: | acanan, alee, dbecker, hrybacki, jjoyce, jschluet, kbasil, mburns, morazi, rhel-osp-director-maint, sclewis, slinaber, tvignaud |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | 13.0 (Queens) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | puppet-keystone-12.3.1-0.20180320041258.5eb9a3f.el7ost openstack-tripleo-heat-templates-8.0.2-0.20180327213843.f25e2d8.el7ost puppet-tripleo-8.3.2-0.20180327181745.40b702f.el7ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-06-27 13:40:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified on
[stack@undercloud-0 usr]$ yum list installed | grep puppet-keystone
puppet-keystone.noarch 12.3.1-0.20180320041258.5eb9a3f.el7ost
sudo vi ./share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
..
...
....
KeystoneChangePasswordUponFirstUse:
type: string
default: ''
description: >-
Enabling this option requires users to change their password when the
user is created, or upon administrative reset.
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
KeystoneDisableUserAccountDaysInactive:
type: string
default: ''
description: >-
The maximum number of days a user can go without authenticating before
being considered "inactive" and automatically disabled (locked).
KeystoneLockoutDuration:
type: string
default: ''
description: >-
The number of seconds a user account will be locked when the maximum
number of failed authentication attempts (as specified by
KeystoneLockoutFailureAttempts) is exceeded.
KeystoneLockoutFailureAttempts:
type: string
default: ''
description: >-
The maximum number of times that a user can fail to authenticate before
the user account is locked for the number of seconds specified by
KeystoneLockoutDuration.
KeystoneMinimumPasswordAge:
type: string
default: ''
description: >-
The number of days that a password must be used before the user can
change it. This prevents users from changing their passwords immediately
in order to wipe out their password history and reuse an old password.
....
...
..
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086 |
Description of problem: None of the options available under the security_compliance group in keystone.conf are configurable through director. Namely: disable_user_account_days_inactive, lockout_failure_attempts, lockout_duration, password_expires_days, unique_last_password_count, minimum_password_age, password_regex, password_regex_description, change_password_upon_first_use Operators are expecting these options to be configurable.