Add password hash algorithm and rounds config

Adds the password_hash_algorithm and
password_hash_rounds configuration options.

These can be used to configure the password
hash algorithm and the amount of rounds on the
hash that keystone should do.

Change-Id: I5160e59522b5cf96eb80f83ab7f2ca593b64fe54
This commit is contained in:
Tobias Urdin 2018-09-13 11:23:40 +02:00
parent c948359a1b
commit 92b307db46
3 changed files with 33 additions and 1 deletions

View File

@ -75,6 +75,14 @@
# (optional) Amount of time a token should remain valid (seconds).
# Defaults to 3600 (1 hour).
#
# [*password_hash_algorithm*]
# (optional) The password hash algorithm to use.
# Defaults to $::os_service_default
#
# [*password_hash_rounds*]
# (optional) The amount of rounds to do on the hash.
# Defaults to $::os_service_default
#
# [*revoke_driver*]
# (optional) Driver for token revocation.
# Defaults to $::os_service_default
@ -663,6 +671,8 @@ class keystone(
$token_provider = 'fernet',
$token_driver = 'sql',
$token_expiration = 3600,
$password_hash_algorithm = $::os_service_default,
$password_hash_rounds = $::os_service_default,
$revoke_driver = $::os_service_default,
$revoke_by_id = true,
$public_endpoint = $::os_service_default,
@ -846,7 +856,12 @@ admin_token will be removed in a later release")
}
keystone_config {
'revoke/driver': value => $revoke_driver;
'identity/password_hash_algorithm': value => $password_hash_algorithm;
'identity/password_hash_rounds': value => $password_hash_rounds;
}
keystone_config {
'revoke/driver': value => $revoke_driver;
}
keystone_config {

View File

@ -0,0 +1,5 @@
---
features:
- |
Added new parameters password_hash_algorithm and password_hash_rounds
to keystone class that can be used to configure the password hash algorithm.

View File

@ -32,6 +32,8 @@ describe 'keystone' do
'catalog_driver' => false,
'token_provider' => 'fernet',
'token_driver' => 'sql',
'password_hash_algorithm' => '<SERVICE DEFAULT>',
'password_hash_rounds' => '<SERVICE DEFAULT>',
'revoke_driver' => 'sql',
'revoke_by_id' => true,
'cache_dir' => '/var/cache/keystone',
@ -86,6 +88,8 @@ describe 'keystone' do
'catalog_type' => 'template',
'token_provider' => 'uuid',
'token_driver' => 'kvs',
'password_hash_algorithm' => 'pbkdf2_sha512',
'password_hash_rounds' => '29000',
'revoke_driver' => 'kvs',
'revoke_by_id' => false,
'public_endpoint' => 'https://localhost:5000/v2.0/',
@ -205,6 +209,14 @@ describe 'keystone' do
is_expected.to contain_keystone_config('revoke/driver').with_value(param_hash['revoke_driver'])
end
it 'should contain password_hash_algorithm' do
is_expected.to contain_keystone_config('identity/password_hash_algorithm').with_value(param_hash['password_hash_algorithm'])
end
it 'should contain password_hash_rounds' do
is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value(param_hash['password_hash_rounds'])
end
it 'should contain default revoke_by_id value ' do
is_expected.to contain_keystone_config('token/revoke_by_id').with_value(param_hash['revoke_by_id'])
end