Keystone Security Compliance ConfigurationΒΆ

About this task

You can configure custom password rules for keystone security compliance.

Procedure

  1. Use the following parameters to set the rules for keystone security compliance.

    system service-parameter-add identity security_compliance unique_last_password_count
    system service-parameter-add identity security_compliance password_regex
    system service-parameter-add identity security_compliance password_regex_description
    system service-parameter-add identity security_compliance password_expires_days
    

    Note

    password_expire_days must be a positive integer.

    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_expires_days=90
    +-------------+--------------------------------------+
    | Property    | Value                                |
    +-------------+--------------------------------------+
    | uuid        | 27d24c80-e9de-37ce-9d26-f21236782be8 |
    | service     | identity                             |
    | section     | security_compliance                  |
    | name        | password_expires_days                |
    | value       | 90                                   |
    | personality | None                                 |
    | resource    | None                                 |
    +-------------+--------------------------------------+
    
  2. In order for the changes to take effect, apply the new configuration with the command:

    system service-parameter-apply identity
    

    For security reasons these parameters are validated:

    • unique_last_password_count must be an integer equal or greater than zero.

    • password_regex must be a valid regex conforming to the Python Regular Expression (RE) syntax: https://docs.python.org/3/library/re.html.

    • password_regex_description must be a non empty string.

    Note

    The password_regex_description will be used by keystone as part of the error message when the user tries a password that does not conform to the rules. Make sure to have an explanatory description.

    For example:

    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance unique_last_password_count=7
    +-------------+--------------------------------------+
    | Property    | Value                                |
    +-------------+--------------------------------------+
    | uuid        | 27e18c80-e8be-47ce-9b24-f21136682de6 |
    | service     | identity                             |
    | section     | security_compliance                  |
    | name        | unique_last_password_count           |
    | value       | 7                                    |
    | personality | None                                 |
    | resource    | None                                 |
    +-------------+--------------------------------------+
    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_regex='^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$'
    +-------------+---------------------------------------------------------------------------------+
    | Property    | Value                                                                           |
    +-------------+---------------------------------------------------------------------------------+
    | uuid        | bab59259-4463-4bce-a6ed-e7b2dcfeb2ac                                            |
    | service     | identity                                                                        |
    | section     | security_compliance                                                             |
    | name        | password_regex                                                                  |
    | value       | ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$ |
    | personality | None                                                                            |
    | resource    | None                                                                            |
    +-------------+---------------------------------------------------------------------------------+
    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-modify identity security_compliance password_regex_description='Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character'
    +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+
    | Property    | Value                                                                                                                                        |
    +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+
    | uuid        | 83ae409e-d5b5-4465-b71b-f29b81bdcb67                                                                                                         |
    | service     | identity                                                                                                                                     |
    | section     | security_compliance                                                                                                                          |
    | name        | password_regex_description                                                                                                                   |
    | value       | Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character |
    | personality | None                                                                                                                                         |
    | resource    | None                                                                                                                                         |
    +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+
    [sysadmin@controller-0 ~(keystone_admin)]$
    [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-apply identity
    Applying platform service parameters
    
  3. The system service-parameter-apply command will apply the configuration to /etc/keystone/keystone.conf and restart the keystone service.

    To see the exact moment keystone is restarted, check the sm-customer.log:

    [sysadmin@controller-0 ~(keystone_admin)]$ date
    Wed Oct 20 02:03:12 UTC 2021
    [sysadmin@controller-0 ~(keystone_admin)]$ # let's check that keystone is being restarted
    [sysadmin@controller-0 ~(keystone_admin)]$ tailf -n 5 /var/log/sm-customer.log
    | 2021-10-20T02:02:42.109 |        398 | service-scn          | vim                              | enabling-throttle                | enabling                         | throttle open to enable service
    | 2021-10-20T02:02:42.110 |        399 | service-scn          | cert-mon                         | enabling                         | enabled-active                   | enable success
    | 2021-10-20T02:02:42.141 |        400 | service-scn          | hw-mon                           | enabling-throttle                | enabling                         | throttle open to enable service
    | 2021-10-20T02:02:42.480 |        401 | service-scn          | vim                              | enabling                         | enabled-active                   | enable success
    | 2021-10-20T02:02:43.584 |        402 | service-scn          | hw-mon                           | enabling                         | enabled-active                   | enable success
    | 2021-10-20T02:04:19.289 |        403 | service-scn          | keystone                         | enabled-active                   | disabling                        | restart safe requested
    | 2021-10-20T02:04:20.512 |        404 | service-scn          | keystone                         | disabling                        | disabled                         | disable success
    | 2021-10-20T02:04:20.980 |        405 | service-scn          | keystone                         | disabled                         | enabling-throttle                | enabled-active state requested
    | 2021-10-20T02:04:21.007 |        406 | service-scn          | keystone                         | enabling-throttle                | enabling                         | throttle open to enable service
    | 2021-10-20T02:04:22.431 |        407 | service-scn          | keystone                         | enabling                         | enabled-active                   | enable success
    
  4. Search for keystone.conf to see the new rules being persisted.

    [sysadmin@controller-1 ~(keystone_admin)]$ sudo grep "unique_last_password_count\|password_regex" /etc/keystone/keystone.conf
    #unique_last_password_count = 0
    unique_last_password_count = 7
    #password_regex = <None>
    password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$
    #password_regex_description = <None>
    password_regex_description = 20 characters minimum, must have numbers and special characters
    
  5. After that, the new rules are already in place, and they can be used.

    [sysadmin@controller-1 ~(keystone_admin)]$ openstack user password set
    Current Password:
    New Password:
    Repeat New Password:
    The password does not match the requirements: 20 characters minimum, must have numbers and special characters. (HTTP 400) (Request-ID: req-3aa0f2f9-eef8-4f28-8e3c-ae4a7eaf1d29)