Browse code
Adds keystone security compliance settings
The PCI-DSS feature has been introduced during the Newton
release and its settings are disabled by default. This
patch adds the possibility to enable some of them during
DevStack setup.
Change-Id: If6b5eb3e3cbc43eb241c94d18af80ad50be08772
Depends-On: Id97ca26f93b742cc3d8d49e98afc581f22360504
Rodrigo Duarte authored on 2016/09/27 03:22:35Showing 2 changed files
| ... | ... |
@@ -131,6 +131,12 @@ fi |
| 131 | 131 |
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3 |
| 132 | 132 |
KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3 |
| 133 | 133 |
|
| 134 |
+# Security compliance |
|
| 135 |
+KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True}
|
|
| 136 |
+KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2}
|
|
| 137 |
+KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5}
|
|
| 138 |
+KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2}
|
|
| 139 |
+ |
|
| 134 | 140 |
|
| 135 | 141 |
# Functions |
| 136 | 142 |
# --------- |
| ... | ... |
@@ -339,6 +345,12 @@ function configure_keystone {
|
| 339 | 339 |
# allows policy changes in order to clarify the adminess scope. |
| 340 | 340 |
#iniset $KEYSTONE_CONF resource admin_project_domain_name Default |
| 341 | 341 |
#iniset $KEYSTONE_CONF resource admin_project_name admin |
| 342 |
+ |
|
| 343 |
+ if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then |
|
| 344 |
+ iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS |
|
| 345 |
+ iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION |
|
| 346 |
+ iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT |
|
| 347 |
+ fi |
|
| 342 | 348 |
} |
| 343 | 349 |
|
| 344 | 350 |
# create_keystone_accounts() - Sets up common required keystone accounts |
| ... | ... |
@@ -261,6 +261,9 @@ function configure_tempest {
|
| 261 | 261 |
# Identity |
| 262 | 262 |
iniset $TEMPEST_CONFIG identity uri "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:5000/v2.0/" |
| 263 | 263 |
iniset $TEMPEST_CONFIG identity uri_v3 "$KEYSTONE_SERVICE_URI_V3" |
| 264 |
+ iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS |
|
| 265 |
+ iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION |
|
| 266 |
+ iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT |
|
| 264 | 267 |
# Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation |
| 265 | 268 |
iniset $TEMPEST_CONFIG identity admin_domain_scope True |
| 266 | 269 |
if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then |
| ... | ... |
@@ -285,6 +288,9 @@ function configure_tempest {
|
| 285 | 285 |
fi |
| 286 | 286 |
|
| 287 | 287 |
# Identity Features |
| 288 |
+ if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then |
|
| 289 |
+ iniset $TEMPEST_CONFIG identity-feature-enabled security_compliance True |
|
| 290 |
+ fi |
|
| 288 | 291 |
# TODO(rodrigods): Remove the reseller flag when Kilo and Liberty are end of life. |
| 289 | 292 |
iniset $TEMPEST_CONFIG identity-feature-enabled reseller True |
| 290 | 293 |
|