Disable keystone account locking by default

It provides an easy to exploit DoS opportunity.

Change-Id: I3839e9930511ff2d3a6b69bef5ae898d92a21ff1

playbooks/roles/bifrost-keystone-install/defaults/main.yml

@@ -4,6 +4,9 @@ keystone_source_install: true
 keystone_git_url: https://opendev.org/openstack/keystone
 keystone_git_folder: /opt/stack/keystone
 
+keystone_lockout_security_attempts: -1
+keystone_lockout_duration: 1800
+
 skip_install: False
 # set to true to skip installing ironic dependencies
 skip_package_install: False

playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2

@@ -20,7 +20,10 @@ connection = mysql+pymysql://{{ keystone.database.username }}:{{ keystone.databa
 use_db_reconnect = true
 
 [security_compliance]
-lockout_failure_attempts = 3
+{% if keystone_lockout_security_attempts > 0 %}
+lockout_failure_attempts = {{ keystone_lockout_security_attempts }}
+lockout_duration = {{ keystone_lockout_duration }}
+{% endif %}
 
 [token]
 provider = fernet

releasenotes/notes/keystone-lockout-c8a26a09e0f0560b.yaml

@@ -0,0 +1,12 @@
+---
+security:
+  - |
+    When using Keystone, no longer locks users out of their accounts on 3
+    unsuccessful attempts to log in. This creates a very trivially exploitable
+    denial-of-service issue. Use ``keystone_lockout_security_attempts``
+    to re-enable (not recommended).
+features:
+  - |
+    If ``keystone_lockout_security_attempts`` is enabled, the amount of time
+    the account stays locked is now regulated by the new parameter
+    ``keystone_lockout_duration`` (defaulting to 1800 seconds).