OpenStack Identity (keystone)

Missing PCI-DSS 8.2.6 requiring users to change their password upon first use

Bug #1645487 reported by Ron De Rose
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Ron De Rose
OpenStack Identity (keystone) ocata-rc1 "RC1"

Bug Description

PCI-DSS 8.2.6 requires that users immediately change their password upon first use [1]. However, this requirement was missed in the PCI-DSS spec and implementation [2]. PCI-DSS 8.2.6 needs to be implemented in order for Keystone to be PCI compliant.

[1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
[2] https://github.com/openstack/keystone-specs/blob/master/specs/keystone/newton/pci-dss.rst

Tags: pci
Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
importance: Undecided → Medium
milestone: none → ocata-2
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: New → In Progress
Revision history for this message
Steve Martinelli (stevemar) wrote :

Patch: https://review.openstack.org/#/c/403916/

tags: added: pci
Steve Martinelli (stevemar)
Changed in keystone:
milestone: ocata-2 → ocata-3
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → Steve Martinelli (stevemar)
Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Ron De Rose (ronald-de-rose)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Ron De Rose (<email address hidden>) on branch: master
Review: https://review.openstack.org/403916
Reason: Abandoning this patch in favor of: https://review.openstack.org/#/c/424856/

Steve Martinelli (stevemar)
Changed in keystone:
milestone: ocata-3 → ocata-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/425507
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0b3e59e0411c546539d8f17e81af3a04c5f46f90
Submitter: Jenkins
Branch: master

commit 0b3e59e0411c546539d8f17e81af3a04c5f46f90
Author: Ronald De Rose <email address hidden>
Date: Thu Jan 26 03:07:44 2017 +0000

    PCI-DSS Force users to change password upon first use

    "PCI-DSS 8.2.6 Set passwords/passphrases for first-time use and
    upon reset to a unique value for each user, and change immediately after
    the first use" [1].

    I'll update the docs in a subsequent patch.

    [1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

    Closes-Bug: #1645487
    Change-Id: I5575dbd6d63d41014a7468acd6bdf0175d791618

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0rc1

This issue was fixed in the openstack/keystone 11.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.