From 495c9e94277d912889f3af1a09848810e05e7f16 Mon Sep 17 00:00:00 2001 From: Elisamara Aoki Goncalves Date: Mon, 22 Nov 2021 11:55:11 -0300 Subject: [PATCH] Platform keystone password rule configuration Applied minor fixes Applied editorial fixes Story: 200984 Task: 43720 Signed-off-by: Elisamara Aoki Goncalves Change-Id: I80b0996b7d19c61630542ccd3b1316967d74366c --- .../security/kubernetes/keystone-accounts.rst | 3 +- ...-compliance-configuration-b149adca6a7f.rst | 133 ++++++++++++++++++ 2 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst diff --git a/doc/source/security/kubernetes/keystone-accounts.rst b/doc/source/security/kubernetes/keystone-accounts.rst index 9d7d53d51..0c1518b37 100644 --- a/doc/source/security/kubernetes/keystone-accounts.rst +++ b/doc/source/security/kubernetes/keystone-accounts.rst @@ -19,4 +19,5 @@ See :ref:`Keystone Accounts ` for more details. keystone-account-authentication manage-keystone-accounts configure-the-keystone-token-expiration-time - password-recovery \ No newline at end of file + password-recovery + keystone-security-compliance-configuration-b149adca6a7f \ No newline at end of file diff --git a/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst b/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst new file mode 100644 index 000000000..c1305826b --- /dev/null +++ b/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst @@ -0,0 +1,133 @@ +.. _keystone-security-compliance-configuration-b149adca6a7f: + +========================================== +Keystone Security Compliance Configuration +========================================== + +.. rubric:: |context| + +You can configure custom password rules for keystone security compliance. + +.. rubric:: |proc| + +#. Use the following parameters to set the rules for keystone security + compliance. + + .. code-block:: + + system service-parameter-add identity security_compliance unique_last_password_count + system service-parameter-add identity security_compliance password_regex + system service-parameter-add identity security_compliance password_regex_description + +#. In order for the changes to take effect, apply the new configuration with + the command: + + .. code-block:: + + system service-parameter-apply identity + + For security reasons these parameters are validated: + + - ``unique_last_password_count`` must be an integer equal or greater than + zero. + + - ``password_regex`` must be a valid regex conforming to the Python + Regular Expression (RE) syntax: + https://docs.python.org/3/library/re.html. + + - ``password_regex_description`` must be a non empty string. + + .. note:: + + The ``password_regex_description`` will be used by keystone as part of + the error message when the user tries a password that does not conform + to the rules. Make sure to have an explanatory description. + + For example: + + .. code-block:: + + [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance unique_last_password_count=7 + +-------------+--------------------------------------+ + | Property | Value | + +-------------+--------------------------------------+ + | uuid | 27e18c80-e8be-47ce-9b24-f21136682de6 | + | service | identity | + | section | security_compliance | + | name | unique_last_password_count | + | value | 7 | + | personality | None | + | resource | None | + +-------------+--------------------------------------+ + [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_regex='^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$' + +-------------+---------------------------------------------------------------------------------+ + | Property | Value | + +-------------+---------------------------------------------------------------------------------+ + | uuid | bab59259-4463-4bce-a6ed-e7b2dcfeb2ac | + | service | identity | + | section | security_compliance | + | name | password_regex | + | value | ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$ | + | personality | None | + | resource | None | + +-------------+---------------------------------------------------------------------------------+ + [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-modify identity security_compliance password_regex_description='Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character' + +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+ + | Property | Value | + +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+ + | uuid | 83ae409e-d5b5-4465-b71b-f29b81bdcb67 | + | service | identity | + | section | security_compliance | + | name | password_regex_description | + | value | Password must have a minimum length of 20 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character | + | personality | None | + | resource | None | + +-------------+----------------------------------------------------------------------------------------------------------------------------------------------+ + [sysadmin@controller-0 ~(keystone_admin)]$ + [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-apply identity + Applying platform service parameters + +#. The system :command:`service-parameter-apply` command will apply the + configuration to ``/etc/keystone/keystone.conf`` and restart the keystone + service. + + To see the exact moment keystone is restarted, check the ``sm-customer.log``: + + .. code-block:: + + [sysadmin@controller-0 ~(keystone_admin)]$ date + Wed Oct 20 02:03:12 UTC 2021 + [sysadmin@controller-0 ~(keystone_admin)]$ # let's check that keystone is being restarted + [sysadmin@controller-0 ~(keystone_admin)]$ tailf -n 5 /var/log/sm-customer.log + | 2021-10-20T02:02:42.109 | 398 | service-scn | vim | enabling-throttle | enabling | throttle open to enable service + | 2021-10-20T02:02:42.110 | 399 | service-scn | cert-mon | enabling | enabled-active | enable success + | 2021-10-20T02:02:42.141 | 400 | service-scn | hw-mon | enabling-throttle | enabling | throttle open to enable service + | 2021-10-20T02:02:42.480 | 401 | service-scn | vim | enabling | enabled-active | enable success + | 2021-10-20T02:02:43.584 | 402 | service-scn | hw-mon | enabling | enabled-active | enable success + | 2021-10-20T02:04:19.289 | 403 | service-scn | keystone | enabled-active | disabling | restart safe requested + | 2021-10-20T02:04:20.512 | 404 | service-scn | keystone | disabling | disabled | disable success + | 2021-10-20T02:04:20.980 | 405 | service-scn | keystone | disabled | enabling-throttle | enabled-active state requested + | 2021-10-20T02:04:21.007 | 406 | service-scn | keystone | enabling-throttle | enabling | throttle open to enable service + | 2021-10-20T02:04:22.431 | 407 | service-scn | keystone | enabling | enabled-active | enable success + +#. Search for ``keystone.conf`` to see the new rules being persisted. + + .. code-block:: + + [sysadmin@controller-1 ~(keystone_admin)]$ sudo grep "unique_last_password_count\|password_regex" /etc/keystone/keystone.conf + #unique_last_password_count = 0 + unique_last_password_count = 7 + #password_regex = + password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{20,}$ + #password_regex_description = + password_regex_description = 20 characters minimum, must have numbers and special characters + +#. After that, the new rules are already in place, and they can be used. + + .. code-block:: + + [sysadmin@controller-1 ~(keystone_admin)]$ openstack user password set + Current Password: + New Password: + Repeat New Password: + The password does not match the requirements: 20 characters minimum, must have numbers and special characters. (HTTP 400) (Request-ID: req-3aa0f2f9-eef8-4f28-8e3c-ae4a7eaf1d29)