Password rules enhancement

Story: 2011084
Task: 50154

Change-Id: I34a70e6f2a68cb6617a16931f04edc92ccff0a93
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Goncalves 2024-06-10 20:15:39 +00:00
parent d02980606e
commit f85f77229a
14 changed files with 104 additions and 22 deletions

View File

@ -115,7 +115,7 @@ are in ``/home/sysadmin/ssl/``.
insecureNoSSL: false insecureNoSSL: false
insecureSkipVerify: false insecureSkipVerify: false
bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com
bindPW: Li69nux* bindPW: St8rlingXCloud*
usernamePrompt: Username usernamePrompt: Username
userSearch: userSearch:
baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com

View File

@ -34,4 +34,4 @@ For example:
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingX*" -e "admin_password=St8rlingX*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6" ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingXCloud*" -e "admin_password=St8rlingXCloud*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6"

View File

@ -176,7 +176,7 @@ conditions are in place:
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingX*" ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingXCloud*"
.. note:: .. note::

View File

@ -84,11 +84,11 @@ and target it at controller-0.
yes/no: 'yes' yes/no: 'yes'
sysadmin*: 'sysadmin' sysadmin*: 'sysadmin'
(current) UNIX password: 'sysadmin' (current) UNIX password: 'sysadmin'
New password: 'St8rlingX*' New password: 'St8rlingXCloud*'
Retype new password: 'St8rlingX*' Retype new password: 'St8rlingXCloud*'
admin_password: St8rlingX* admin_password: St8rlingXCloud*
ansible_become_pass: St8rlingX* ansible_become_pass: St8rlingXCloud*
ansible_ssh_pass: St8rlingX* ansible_ssh_pass: St8rlingXCloud*
Save your changes and quit the editor. If you need to make additional Save your changes and quit the editor. If you need to make additional
changes, you can use the command :command:`ansible-vault edit changes, you can use the command :command:`ansible-vault edit

View File

@ -85,7 +85,7 @@ Below you can find other ``-e`` command line options:
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingX* admin_password=St8rlingX* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true" ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true"
.. note:: .. note::

View File

@ -186,7 +186,7 @@ From a new shell as a root user, without sourcing ``/etc/platform/openrc``:
endpoint_type: internalURL endpoint_type: internalURL
auth: auth:
username: 'admin' username: 'admin'
password: 'Li69nux*' password: 'St8rlingXCloud*'
project_name: 'admin' project_name: 'admin'
project_domain_name: 'default' project_domain_name: 'default'
user_domain_name: 'default' user_domain_name: 'default'

View File

@ -269,7 +269,7 @@ The following command will request the Keystone token:
"user": { "user": {
"name": "admin", "name": "admin",
"domain": { "id": "default" }, "domain": { "id": "default" },
"password": "St8rlingX*" "password": "St8rlingXCloud*"
} }
} }
}, },

View File

@ -127,7 +127,7 @@ Example:
:: ::
ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* ansible_ssh_pass=Li69nux*" ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud*"
#. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable. #. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable.
@ -344,7 +344,7 @@ Steps:
:: ::
ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore" ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore"
#. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable in above command. #. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable in above command.
@ -470,7 +470,7 @@ Steps:
:: ::
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz' ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz'
If you want to restore Glance images and Cinder volumes from external If you want to restore Glance images and Cinder volumes from external
storage (the Optional step above was executed) or you want to reconcile storage (the Optional step above was executed) or you want to reconcile
@ -489,7 +489,7 @@ Steps:
:: ::
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups' ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
* Restore Glance images and Cinder volumes using image-backup.sh and * Restore Glance images and Cinder volumes using image-backup.sh and
tidy_storage_post_restore helper scripts. tidy_storage_post_restore helper scripts.
@ -556,4 +556,4 @@ Steps:
:: ::
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups' ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'

View File

@ -93,7 +93,7 @@ using the ansible playbook.
.. code-block:: none .. code-block:: none
{ {
"ansible_ssh_pass": "St8rlingX*", "ansible_ssh_pass": "St8rlingXCloud*",
"external_oam_node_0_address": "10.10.10.13", "external_oam_node_0_address": "10.10.10.13",
"external_oam_node_1_address": "10.10.10.14", "external_oam_node_1_address": "10.10.10.14",
} }

View File

@ -21,6 +21,7 @@ System Accounts
remote-windows-active-directory-accounts remote-windows-active-directory-accounts
starlingx-system-accounts-system-account-password-rules starlingx-system-accounts-system-account-password-rules
manage-local-ldap-39fe3a85a528 manage-local-ldap-39fe3a85a528
linux-accounts-password-3dcad436dce4
***************** *****************
Access the System Access the System

View File

@ -18,6 +18,26 @@ You can configure custom password rules for keystone security compliance.
system service-parameter-add identity security_compliance unique_last_password_count system service-parameter-add identity security_compliance unique_last_password_count
system service-parameter-add identity security_compliance password_regex system service-parameter-add identity security_compliance password_regex
system service-parameter-add identity security_compliance password_regex_description system service-parameter-add identity security_compliance password_regex_description
system service-parameter-add identity security_compliance password_expires_days
.. note::
``password_expire_days`` must be a positive integer.
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_expires_days=90
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 27d24c80-e9de-37ce-9d26-f21236782be8 |
| service | identity |
| section | security_compliance |
| name | password_expires_days |
| value | 90 |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
#. In order for the changes to take effect, apply the new configuration with #. In order for the changes to take effect, apply the new configuration with
the command: the command:

View File

@ -0,0 +1,58 @@
.. _linux-accounts-password-3dcad436dce4:
=============================
Linux Accounts Password Rules
=============================
.. rubric:: Check Current Password Expiry Settings
Before making any changes, you may want to check the current password expiry
settings for the user. You can do this by running the :command:`chage -l
<username>` command, replacing ``<username>`` with the name of the user whose
password expiry settings you want to view.
.. code-block:: none
sudo chage -l <username>
.. rubric:: Change Password Expiry Settings
To change the password expiry period of Linux accounts, run the :command:`chage`
command, as bellow:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M <days_to_expiry> <username>
For example, to set the maximum number of days before the password must be
changed to 60 days for a user named ``sysadmin``, you can use the following
command:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M 60 sysadmin
Verify Changes
--------------
After making the changes, verify that the new password expiry settings have
been applied by running the :command:`chage -l <username>` command again.
.. code-block:: none
chage -l <username>
For the example above of user ``sysadmin`` and expiry period of 60 days, the
output of ``chage -l <username>`` should be as follows:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ chage -l sysadmin
Last password change : abr 30, 2024
Password expires : jun 29, 2024
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7

View File

@ -14,9 +14,9 @@ other Linux Accounts, and Keystone accounts):
.. _starlingx-system-accounts-system-account-password-rules-ul-evs-dsn-ynb: .. _starlingx-system-accounts-system-account-password-rules-ul-evs-dsn-ynb:
- The password must be at least seven characters long. - The password must be at least 12 characters long.
- You cannot reuse the last 2 passwords in history. - You cannot reuse the last 5 passwords in history.
- The password must contain: - The password must contain:
@ -59,3 +59,6 @@ LDAP, sysadmin, and other Linux accounts):
.. note:: .. note::
This rule does not apply to the root user. This rule does not apply to the root user.
For more details on Linux Accounts password rules see:
:ref:`linux-accounts-password-3dcad436dce4`.

View File

@ -13,9 +13,9 @@ By default, the following rules apply:
.. _security-system-account-password-rules-ul-jwb-g15-zw: .. _security-system-account-password-rules-ul-jwb-g15-zw:
- The password must be at least seven characters long. - The password must be at least 12 characters long.
- You cannot reuse the last 2 passwords in history. - You cannot reuse the last 5 passwords in history.
- The password must contain: - The password must contain: