RFE: Whitelisting (opt-in) users/projects/domains for PCI compliance

Bug #1637146 reported by Jesse Keating on 2016-10-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

As a cloud admin, I want to explicitly define which users should have PCI compliance checks turned on. Currently, I can only blacklist certain users, but I have use cases which require one special user (the super duper admin) be held to a higher standard than the other users on a cloud. I have other use cases where entire projects, or maybe even domains, need to be held to a standard, but outside of those they should not be held to the standard.

We provide individual private clouds to customers, and provide them a lower level of admin access than super duper admin. Our own super duper admin needs to adhere to PCI, but we do not feel it's appropriate to enforce such requirements on the users our customers create for themselves. That said, some customers may decide that some sets of the users they create should require PCI compliance, but not all of them. Because we do not control user creation, a blacklist is inappropriate as it will constantly be behind.

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Ron De Rose (ronald-de-rose)
milestone: none → ocata-1
Changed in keystone:
milestone: ocata-1 → ocata-2
Changed in keystone:
milestone: ocata-2 → none
tags: added: pci
Gage Hugo (gagehugo) wrote :

Does the current resource_options[0] implementation currently fix this (at least partially) since you can opt users out of password expiration/first use password change/lockout attempts?

[0] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/resource_options.py#L61-L78

Jesse Keating (jesse-keating) wrote :

Not really. This seems like a global setting? We simply want to have an explicit list of users that should adhere to PCI compliance, while the rest do not. Since the user creation is outside our control, we cannot make use of blacklists to constantly blacklist new users as they're created.

Lance Bragstad (lbragstad) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → nobody
summary: - Whitelisting (opt-in) users/projects/domains for PCI compliance
+ RFE: Whitelisting (opt-in) users/projects/domains for PCI compliance
tags: added: rfe
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers