diff --git a/lib/keystone b/lib/keystone index 825fe44fca..34730b892a 100644 --- a/lib/keystone +++ b/lib/keystone @@ -131,6 +131,12 @@ fi KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3 KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3 +# Security compliance +KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True} +KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2} +KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5} +KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2} + # Functions # --------- @@ -339,6 +345,12 @@ function configure_keystone { # allows policy changes in order to clarify the adminess scope. #iniset $KEYSTONE_CONF resource admin_project_domain_name Default #iniset $KEYSTONE_CONF resource admin_project_name admin + + if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then + iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS + iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION + iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT + fi } # create_keystone_accounts() - Sets up common required keystone accounts diff --git a/lib/tempest b/lib/tempest index 3915c570ee..4b8fbb7a46 100644 --- a/lib/tempest +++ b/lib/tempest @@ -261,6 +261,9 @@ function configure_tempest { # Identity iniset $TEMPEST_CONFIG identity uri "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:5000/v2.0/" iniset $TEMPEST_CONFIG identity uri_v3 "$KEYSTONE_SERVICE_URI_V3" + iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS + iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION + iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT # Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation iniset $TEMPEST_CONFIG identity admin_domain_scope True if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then @@ -285,6 +288,9 @@ function configure_tempest { fi # Identity Features + if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then + iniset $TEMPEST_CONFIG identity-feature-enabled security_compliance True + fi # TODO(rodrigods): Remove the reseller flag when Kilo and Liberty are end of life. iniset $TEMPEST_CONFIG identity-feature-enabled reseller True