No way to specify password strength in keystone.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
There is a way to set the regular expression for horizon for a password, but there is no way to do this in keystone.
We need a configuration parameter in keystone for the regular expression and another one for the message to be shown when the password is not valid.
#password regularexpression for user password
password_
password_
These then need to be validated in the respective controllers (both v2 and v3)
example in ./keystone/
209 @staticmethod
210 def check_syntax(
211 a = re.match(
212 if not a:
213 raise exception.
214
215 @staticmethod
216 def check_pwd_
217
218 #if passsword is empty allow it,
219 #since empty password wont allow user to login
220 if password is None:
221 return
222 if name in password or password in name:
223 raise exception.
224 User.check_
225
243 @controller.
244 def create_user(self, context, user):
245 self._require_
246
247 if user.get(
248 User.check_
249 # The manager layer will generate the unique ID for users
250 ref = self._normalize
251 ref = self._normalize
252 ref = self.identity_
253 return UserV3.
254
276 def _update_user(self, context, user_id, user):
277
278 #if password is being changed
279 #then check if name is not part of password
280 if 'password' in user:
281 #if name is not present then get it from the backend
282 if 'name' not in user:
283 old_user_ref = self.identity_
284 name = old_user_
285 else:
286 name = user['name']
287 User.check_
288
289 self._require_
290 self._require_
291 user_id, user, self.identity_
292 ref = self.identity_
293 return UserV3.
315 @controller.
316 def change_
317 original_password = user.get(
318 if original_password is None:
319 raise exception.
320 attribute=
321
322 password = user.get(
323 if password is None:
324 raise exception.
325 attribute=
326 #if name is not present then get it from the backend
327 if 'name' not in user:
328 old_user_ref = self.identity_
329 name = old_user_
330 else:
331 name = user['name']
332
333 User.check_
334
335 try:
336 self.identity_
337 context, user_id, original_password, password)
338 except AssertionError:
339 raise exception.
340
affects: | bagpipe-l2 → keystone |
Changed in keystone: | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
keystone should not have to handle passwords, users should exist in ldap or through an identity provider. the only passwords we handle are for service accounts (admin/ nova/glance/ etc...) , so the need for investing in additional logic to handle passwords is not worth it for us. furthermore, each deployer may want to set their own password policy, independent of whatever we suggest.