From df336272f040206be2e66e03e29828540670b5d8 Mon Sep 17 00:00:00 2001
From: Vladyslav Drok <vdrok@mirantis.com>
Date: Mon, 17 Dec 2018 10:29:49 -0800
Subject: [PATCH] Enable keystone brute-force protection by default

This change sets lockout_failure_attempts and lockout_duration
configuration options in security_compliance group.

Change-Id: I72910e52239ace23b92d826794cd0603a061e6c3
---
 keystone/values.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/keystone/values.yaml b/keystone/values.yaml
index 6a824ea0fa..fdeda2069d 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -430,6 +430,10 @@ conf:
       backend: dogpile.cache.memcached
     oslo_messaging_notifications:
       driver: messagingv2
+    security_compliance:
+      # NOTE(vdrok): The following two options have effect only for SQL backend
+      lockout_failure_attempts: 5
+      lockout_duration: 1800
   # NOTE(lamt) We can leverage multiple domains with different
   # configurations as outlined in
   # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.