add support for security_compliance in keystone config
Bug #1776688 reported by
Ashley Lai
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone Charm |
Fix Released
|
Wishlist
|
Alex Kavanagh |
Bug Description
This bug is a request to add a charm option in keystone to be able to add Security Compliance Options in the keystone.conf file.
Upstream documentation reference:
https:/
tags: | added: atos |
tags: | added: sts |
Changed in charm-keystone: | |
assignee: | nobody → Alex Kavanagh (ajkavanagh) |
status: | Triaged → In Progress |
Changed in charm-keystone: | |
milestone: | none → 20.05 |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Worth noting that these options only apply to SQL backend domains; with LDAP backed domains its assumed that LDAP will provide these policy features, not keystone.
Options are enabled globally for all SQL backed domains, including the service domain for nova/cinder/ glance/ keystone accounts so its important to consider implications of this change; do the generated passwords for service accounts meet the requirements for the password complexity? how do we reset a service account password in the event that someone manages to DOS the account (because all backend services would be locked out in this case).
An action to reset a password for a service account would be an obvious choice.
Either way this is more that 'just add some config options' as it has wider implications for deployments so I'd like to see a spec drafted and reviewed before we embark on implementing this new feature.