Bug 1530732 – Keystone's security_compliance options are not configurable through director

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1530732 - Keystone's security_compliance options are not configurable through director

Summary:	Keystone's security_compliance options are not configurable through director

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-keystone (Show other bugs)
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assigned To:	RHOS Maint
QA Contact:	Prasanth Anbalagan
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2018-01-03 11:59 EST by Juan Antonio Osorio
Modified:	2018-06-27 09:41 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	puppet-keystone-12.3.1-0.20180320041258.5eb9a3f.el7ost openstack-tripleo-heat-templates-8.0.2-0.20180327213843.f25e2d8.el7ost puppet-tripleo-8.3.2-0.20180327181745.40b702f.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-06-27 09:40:49 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	531082	None	master: MERGED	puppet-keystone: Add security_compliance manifest (Ic4d962910343ad30de7840124bbc7773ea3697a1)	2018-03-29 12:15 EDT
OpenStack gerrit	531108	None	master: MERGED	puppet-tripleo: Include security_compliance manifest in keystone (I089f2e28cce2688ed080096c88ab539393627cfb)	2018-03-29 12:15 EDT
OpenStack gerrit	531143	None	master: MERGED	tripleo-heat-templates: Add parameters to configure options in keystone's security_compliance group (I3399129c41054a914b...	2018-03-29 12:14 EDT
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 09:41 EDT

Groups: None (edit)

Description Juan Antonio Osorio 2018-01-03 11:59:44 EST

Description of problem:

None of the options available under the security_compliance group in keystone.conf are configurable through director. Namely:

    disable_user_account_days_inactive,
    lockout_failure_attempts,
    lockout_duration,
    password_expires_days,
    unique_last_password_count,
    minimum_password_age,
    password_regex,
    password_regex_description,
    change_password_upon_first_use

Operators are expecting these options to be configurable.

Comment 10 Prasanth Anbalagan 2018-04-12 13:11:11 EDT

Verified on 

[stack@undercloud-0 usr]$ yum list installed | grep puppet-keystone
puppet-keystone.noarch            12.3.1-0.20180320041258.5eb9a3f.el7ost


sudo vi ./share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
..
...
....
  KeystoneChangePasswordUponFirstUse:
    type: string
    default: ''
    description: >-
      Enabling this option requires users to change their password when the
      user is created, or upon administrative reset.
    constraints:
      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
  KeystoneDisableUserAccountDaysInactive:
    type: string
    default: ''
    description: >-
      The maximum number of days a user can go without authenticating before
      being considered "inactive" and automatically disabled (locked).
  KeystoneLockoutDuration:
    type: string
    default: ''
    description: >-
      The number of seconds a user account will be locked when the maximum
      number of failed authentication attempts (as specified by
      KeystoneLockoutFailureAttempts) is exceeded.
  KeystoneLockoutFailureAttempts:
    type: string
    default: ''
    description: >-
      The maximum number of times that a user can fail to authenticate before
      the user account is locked for the number of seconds specified by
      KeystoneLockoutDuration.
  KeystoneMinimumPasswordAge:
    type: string
    default: ''
    description: >-
      The number of days that a password must be used before the user can
      change it. This prevents users from changing their passwords immediately
      in order to wipe out their password history and reuse an old password.
....
...
..

Comment 12 errata-xmlrpc 2018-06-27 09:40:49 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.