Bug 1530732 - Keystone's security_compliance options are not configurable through director
Summary: Keystone's security_compliance options are not configurable through director
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-keystone
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: RHOS Maint
QA Contact: Prasanth Anbalagan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-03 16:59 UTC by Juan Antonio Osorio
Modified: 2018-06-27 13:41 UTC (History)
13 users (show)

Fixed In Version: puppet-keystone-12.3.1-0.20180320041258.5eb9a3f.el7ost openstack-tripleo-heat-templates-8.0.2-0.20180327213843.f25e2d8.el7ost puppet-tripleo-8.3.2-0.20180327181745.40b702f.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-27 13:40:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 531082 None master: MERGED puppet-keystone: Add security_compliance manifest (Ic4d962910343ad30de7840124bbc7773ea3697a1) 2018-03-29 16:15:07 UTC
OpenStack gerrit 531108 None master: MERGED puppet-tripleo: Include security_compliance manifest in keystone (I089f2e28cce2688ed080096c88ab539393627cfb) 2018-03-29 16:15:00 UTC
OpenStack gerrit 531143 None master: MERGED tripleo-heat-templates: Add parameters to configure options in keystone's security_compliance group (I3399129c41054a914b... 2018-03-29 16:14:53 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:41:41 UTC

Description Juan Antonio Osorio 2018-01-03 16:59:44 UTC
Description of problem:

None of the options available under the security_compliance group in keystone.conf are configurable through director. Namely:

    disable_user_account_days_inactive,
    lockout_failure_attempts,
    lockout_duration,
    password_expires_days,
    unique_last_password_count,
    minimum_password_age,
    password_regex,
    password_regex_description,
    change_password_upon_first_use

Operators are expecting these options to be configurable.

Comment 10 Prasanth Anbalagan 2018-04-12 17:11:11 UTC
Verified on 

[stack@undercloud-0 usr]$ yum list installed | grep puppet-keystone
puppet-keystone.noarch            12.3.1-0.20180320041258.5eb9a3f.el7ost


sudo vi ./share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
..
...
....
  KeystoneChangePasswordUponFirstUse:
    type: string
    default: ''
    description: >-
      Enabling this option requires users to change their password when the
      user is created, or upon administrative reset.
    constraints:
      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  KeystoneDisableUserAccountDaysInactive:
    type: string
    default: ''
    description: >-
      The maximum number of days a user can go without authenticating before
      being considered "inactive" and automatically disabled (locked).
  KeystoneLockoutDuration:
    type: string
    default: ''
    description: >-
      The number of seconds a user account will be locked when the maximum
      number of failed authentication attempts (as specified by
      KeystoneLockoutFailureAttempts) is exceeded.
  KeystoneLockoutFailureAttempts:
    type: string
    default: ''
    description: >-
      The maximum number of times that a user can fail to authenticate before
      the user account is locked for the number of seconds specified by
      KeystoneLockoutDuration.
  KeystoneMinimumPasswordAge:
    type: string
    default: ''
    description: >-
      The number of days that a password must be used before the user can
      change it. This prevents users from changing their passwords immediately
      in order to wipe out their password history and reuse an old password.
....
...
..

Comment 12 errata-xmlrpc 2018-06-27 13:40:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.