The patch  enabled two feature flags for keystone. Turns out the "security_compliance" feature flag needs extra settings to proper work, see  for more details.
To finally enable this setting, we need to create an additional job that will customize keystone.conf.
The attached change in Gerrithub.io removes the "security_compliance" setting, than, fixing this issue.
python-tempestconf-1.1.1 contains the fixes for this bug.
This feature (password rules) is not expected to be default enabled by any of the puppet based installer (packstack, director), so python-tempestconf MUST not enable it by default.
It is default disabled in python-tempest, python-tempestconf just started to override it without considering the consequences.
automated tests using new python-tempestconf-1.1.1-1.el7ost package passed, bug is fixed in this version of python-tempestconf
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.