Keystone Security Compliance ConfigurationΒΆ
About this task
You can configure custom password rules for keystone security compliance.
Procedure
Use the following parameters to set the rules for keystone security compliance.
system service-parameter-add identity security_compliance unique_last_password_count system service-parameter-add identity security_compliance password_regex system service-parameter-add identity security_compliance password_regex_description system service-parameter-add identity security_compliance password_expires_days
Note
password_expire_days
must be a positive integer.[sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_expires_days=90 +-------------+--------------------------------------+ | Property | Value | +-------------+--------------------------------------+ | uuid | 27d24c80-e9de-37ce-9d26-f21236782be8 | | service | identity | | section | security_compliance | | name | password_expires_days | | value | 90 | | personality | None | | resource | None | +-------------+--------------------------------------+
In order for the changes to take effect, apply the new configuration with the command:
system service-parameter-apply identity
For security reasons these parameters are validated:
unique_last_password_count
must be an integer equal or greater than zero.password_regex
must be a valid regex conforming to the Python Regular Expression (RE) syntax: https://docs.python.org/3/library/re.html.password_regex_description
must be a non empty string.
Note
The
password_regex_description
will be used by keystone as part of the error message when the user tries a password that does not conform to the rules. Make sure to have an explanatory description.For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance unique_last_password_count=7 +-------------+--------------------------------------+ | Property | Value | +-------------+--------------------------------------+ | uuid | 27e18c80-e8be-47ce-9b24-f21136682de6 | | service | identity | | section | security_compliance | | name | unique_last_password_count | | value | 7 | | personality | None | | resource | None | +-------------+--------------------------------------+ [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_regex='^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$' +-------------+---------------------------------------------------------------------------------+ | Property | Value | +-------------+---------------------------------------------------------------------------------+ | uuid | bab59259-4463-4bce-a6ed-e7b2dcfeb2ac | | service | identity | | section | security_compliance | | name | password_regex | | value | ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$ | | personality | None | | resource | None | +-------------+---------------------------------------------------------------------------------+ [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-modify identity security_compliance password_regex_description='Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character' +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+ | uuid | 83ae409e-d5b5-4465-b71b-f29b81bdcb67 | | service | identity | | section | security_compliance | | name | password_regex_description | | value | Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character | | personality | None | | resource | None | +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+ [sysadmin@controller-0 ~(keystone_admin)]$ [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-apply identity Applying platform service parameters
The system service-parameter-apply command will apply the configuration to
/etc/keystone/keystone.conf
and restart the keystone service.To see the exact moment keystone is restarted, check the
sm-customer.log
:[sysadmin@controller-0 ~(keystone_admin)]$ date Wed Oct 20 02:03:12 UTC 2021 [sysadmin@controller-0 ~(keystone_admin)]$ # let's check that keystone is being restarted [sysadmin@controller-0 ~(keystone_admin)]$ tailf -n 5 /var/log/sm-customer.log | 2021-10-20T02:02:42.109 | 398 | service-scn | vim | enabling-throttle | enabling | throttle open to enable service | 2021-10-20T02:02:42.110 | 399 | service-scn | cert-mon | enabling | enabled-active | enable success | 2021-10-20T02:02:42.141 | 400 | service-scn | hw-mon | enabling-throttle | enabling | throttle open to enable service | 2021-10-20T02:02:42.480 | 401 | service-scn | vim | enabling | enabled-active | enable success | 2021-10-20T02:02:43.584 | 402 | service-scn | hw-mon | enabling | enabled-active | enable success | 2021-10-20T02:04:19.289 | 403 | service-scn | keystone | enabled-active | disabling | restart safe requested | 2021-10-20T02:04:20.512 | 404 | service-scn | keystone | disabling | disabled | disable success | 2021-10-20T02:04:20.980 | 405 | service-scn | keystone | disabled | enabling-throttle | enabled-active state requested | 2021-10-20T02:04:21.007 | 406 | service-scn | keystone | enabling-throttle | enabling | throttle open to enable service | 2021-10-20T02:04:22.431 | 407 | service-scn | keystone | enabling | enabled-active | enable success
Search for
keystone.conf
to see the new rules being persisted.[sysadmin@controller-1 ~(keystone_admin)]$ sudo grep "unique_last_password_count\|password_regex" /etc/keystone/keystone.conf #unique_last_password_count = 0 unique_last_password_count = 7 #password_regex = <None> password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$ #password_regex_description = <None> password_regex_description = 20 characters minimum, must have numbers and special characters
After that, the new rules are already in place, and they can be used.
[sysadmin@controller-1 ~(keystone_admin)]$ openstack user password set Current Password: New Password: Repeat New Password: The password does not match the requirements: 20 characters minimum, must have numbers and special characters. (HTTP 400) (Request-ID: req-3aa0f2f9-eef8-4f28-8e3c-ae4a7eaf1d29)