Add info for configuring Keystone's security compliance settings

These were added recently [1], and documentation was needed. [1] I3399129c41054a914bb91417c814cd063ee0c07e Change-Id: Ib586cd1c8a522116364894b1a1e9703e66cad257
2018-01-31 08:36:57 +02:00 · 2018-01-31 08:36:57 +02:00 · bb61cc7001
parent dd0ccf847a
commit bb61cc7001
2 changed files with 51 additions and 0 deletions
--- a/doc/source/install/advanced_deployment/features.rst
+++ b/doc/source/install/advanced_deployment/features.rst
@ -18,6 +18,7 @@ Documentation on how to enable and configure various features available in
   baremetal_overcloud
   ovs_dpdk_config
   deployed_server
+   keystone_security_compliance
   security_hardening
   api_policies
   disable_telemetry
--- a/doc/source/install/advanced_deployment/keystone_security_compliance.rst
+++ b/doc/source/install/advanced_deployment/keystone_security_compliance.rst
@ -0,0 +1,50 @@
+Keystone Security Compliance
+============================
+
+Keystone has several configuration options available in order to comply with
+standards such as Payment Card Industry - Data Security Standard (PCI-DSS)
+v3.1.
+
+TripleO exposes these features via Heat parameters. They will be listed below:
+
+* ``KeystoneChangePasswordUponFirstUse``: Enabling this option requires users
+  to change their password when the user is created, or upon administrative
+  reset.
+
+* ``KeystoneDisableUserAccountDaysInactive``: The maximum number of days a user
+  can go without authenticating before being considered "inactive" and
+  automatically disabled (locked).
+
+* ``KeystoneLockoutDuration``: The number of seconds a user account will be
+  locked when the maximum number of failed authentication attempts (as
+  specified by ``KeystoneLockoutFailureAttempts``) is exceeded.
+
+* ``KeystoneLockoutFailureAttempts``: The maximum number of times that a user
+  can fail to authenticate before the user account is locked for the number of
+  seconds specified by ``KeystoneLockoutDuration``.
+
+* ``KeystoneMinimumPasswordAge``: The number of days that a password must be
+  used before the user can change it. This prevents users from changing their
+  passwords immediately in order to wipe out their password history and reuse
+  an old password.
+
+* ``KeystonePasswordExpiresDays``: The number of days for which a password will
+  be considered valid before requiring it to be changed.
+
+* ``KeystonePasswordRegex``: The regular expression used to validate password
+  strength requirements.
+
+* ``KeystonePasswordRegexDescription``: Describe your password regular
+  expression here in language for humans.
+
+* ``KeystoneUniqueLastPasswordCount``: This controls the number of previous
+  user password iterations to keep in history, in order to enforce that newly
+  created passwords are unique.
+
+.. note:: All of the aforementioned options only apply to the SQL backend. For
+          other identity backends like LDAP, these configuration settings
+          should be applied on that backend's side.
+
+.. note:: All of these parameters are defined as type ``string`` in heat. As
+          per the implementation, if left unset, they will not be configured at
+          all in the keystone configuration.