keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

security_compliance.py
Go to the documentation of this file.
1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
2 # not use this file except in compliance with the License. You may obtain
3 # a copy of the License at
4 #
5 # http://www.apache.org/licenses/LICENSE-2.0
6 #
7 # Unless required by applicable law or agreed to in writing, software
8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10 # License for the specific language governing permissions and limitations
11 # under the License.
12 
13 from oslo_config import cfg
14 
15 from keystone.conf import utils
16 
17 
18 disable_user_account_days_inactive = cfg.IntOpt(
19  'disable_user_account_days_inactive',
20  min=1,
21  help=utils.fmt("""
22 The maximum number of days a user can go without authenticating before being
23 considered "inactive" and automatically disabled (locked). This feature is
24 disabled by default; set any value to enable it. This feature depends on the
25 `sql` backend for the `[identity] driver`. When a user exceeds this threshold
26 and is considered "inactive", the user's `enabled` attribute in the HTTP API
27 may not match the value of the user's `enabled` column in the user table.
28 """))
29 
30 lockout_failure_attempts = cfg.IntOpt(
31  'lockout_failure_attempts',
32  min=1,
33  help=utils.fmt("""
34 The maximum number of times that a user can fail to authenticate before the
35 user account is locked for the number of seconds specified by
36 `[security_compliance] lockout_duration`. This feature is disabled by
37 default. If this feature is enabled and `[security_compliance]
38 lockout_duration` is not set, then users may be locked out indefinitely
39 until the user is explicitly enabled via the API. This feature depends on
40 the `sql` backend for the `[identity] driver`.
41 """))
42 
43 lockout_duration = cfg.IntOpt(
44  'lockout_duration',
45  default=1800,
46  min=1,
47  help=utils.fmt("""
48 The number of seconds a user account will be locked when the maximum number of
49 failed authentication attempts (as specified by `[security_compliance]
50 lockout_failure_attempts`) is exceeded. Setting this option will have no effect
51 unless you also set `[security_compliance] lockout_failure_attempts` to a
52 non-zero value. This feature depends on the `sql` backend for the `[identity]
53 driver`.
54 """))
55 
56 password_expires_days = cfg.IntOpt(
57  'password_expires_days',
58  min=1,
59  help=utils.fmt("""
60 The number of days for which a password will be considered valid
61 before requiring it to be changed. This feature is disabled by default. If
62 enabled, new password changes will have an expiration date, however existing
63 passwords would not be impacted. This feature depends on the `sql` backend for
64 the `[identity] driver`.
65 """))
66 
67 unique_last_password_count = cfg.IntOpt(
68  'unique_last_password_count',
69  default=0,
70  min=0,
71  help=utils.fmt("""
72 This controls the number of previous user password iterations to keep in
73 history, in order to enforce that newly created passwords are unique. The total
74 number which includes the new password should not be greater or equal to this
75 value. Setting the value to zero (the default) disables this feature. Thus, to
76 enable this feature, values must be greater than 0. This feature depends on
77 the `sql` backend for the `[identity] driver`.
78 """))
79 
80 minimum_password_age = cfg.IntOpt(
81  'minimum_password_age',
82  default=0,
83  min=0,
84  help=utils.fmt("""
85 The number of days that a password must be used before the user can change it.
86 This prevents users from changing their passwords immediately in order to wipe
87 out their password history and reuse an old password. This feature does not
88 prevent administrators from manually resetting passwords. It is disabled by
89 default and allows for immediate password changes. This feature depends on the
90 `sql` backend for the `[identity] driver`. Note: If `[security_compliance]
91 password_expires_days` is set, then the value for this option should be less
92 than the `password_expires_days`.
93 """))
94 
95 password_regex = cfg.StrOpt(
96  'password_regex',
97  help=utils.fmt("""
98 The regular expression used to validate password strength requirements. By
99 default, the regular expression will match any password. The following is an
100 example of a pattern which requires at least 1 letter, 1 digit, and have a
101 minimum length of 7 characters: ^(?=.*\\\d)(?=.*[a-zA-Z]).{7,}$ This feature
102 depends on the `sql` backend for the `[identity] driver`.
103 """)) # noqa: W605
104 
105 password_regex_description = cfg.StrOpt(
106  'password_regex_description',
107  help=utils.fmt("""
108 Describe your password regular expression here in language for humans. If a
109 password fails to match the regular expression, the contents of this
110 configuration variable will be returned to users to explain why their
111 requested password was insufficient.
112 """))
113 
114 change_password_upon_first_use = cfg.BoolOpt(
115  'change_password_upon_first_use',
116  default=False,
117  help=utils.fmt("""
118 Enabling this option requires users to change their password when the user is
119 created, or upon administrative reset. Before accessing any services, affected
120 users will have to change their password. To ignore this requirement for
121 specific users, such as service users, set the `options` attribute
122 `ignore_change_password_upon_first_use` to `True` for the desired user via the
123 update user API. This feature is disabled by default. This feature is only
124 applicable with the `sql` backend for the `[identity] driver`.
125 """))
126 
127 
128 GROUP_NAME = __name__.split('.')[-1]
129 ALL_OPTS = [
130  disable_user_account_days_inactive,
131  lockout_failure_attempts,
132  lockout_duration,
133  password_expires_days,
134  unique_last_password_count,
135  minimum_password_age,
136  password_regex,
137  password_regex_description,
138  change_password_upon_first_use
139 ]
140 
141 
142 def register_opts(conf):
143  conf.register_opts(ALL_OPTS, group=GROUP_NAME)
144 
145 
146 def list_opts():
147  return {GROUP_NAME: ALL_OPTS}
keystone.conf.security_compliance.list_opts
def list_opts()
Definition: security_compliance.py:146
keystone.conf.security_compliance.register_opts
def register_opts(conf)
Definition: security_compliance.py:142
keystone.conf
Definition: __init__.py:1