Name: fiware-keystone-spassword
Owner: Telefónica I+D
Description: Keystone SPASSWORD is an OpenStack Keystone extension that enables some extra security checks over user passwords, as force the usage of strong passwords, expiration time for a password, number of bad login attempts before user account became temporarily blocked, a recover procedure password, second factor authentication, etc.
Created: 2015-08-06 11:14:32.0
Updated: 2018-05-10 06:54:03.0
Pushed: 2018-05-10 06:54:02.0
Size: 386
Language: Python
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
Keystone SPASSWORD is an OpenStack Keystone extension that enables some extra security checks over user passwords, as force the usage of strong passwords, expiration time for a password, number of bad login attempts before user account became temporarily blocked, a recover procedure password, a second factor authentication (2FA) and so on.
Installing from RPM is pretty straightforward:
-Uvh keystone-spassword-*.noarch.rpm
Once installed you can fine-tune options (out-of-the box the installation configures default values for that options at /etc/keystone/keystone.conf).
ssword]
led = true
exp_days = 365
max_tries = 5
block_minutes = 30
user_blacklist = user_id_list
_server = '0.0.0.0'
_port = 587
_tls = true
_user = 'smtpuser@yourdomain.com'
_password = 'yourpassword'
_from = 'smtpuser'
keystone-spassword enables two new authentication and identity plugins, which extends default provided plugins to ensure the use of strong passwords, to check expiration time and to control the number of tries that an user can use badly their password before be blocked. This way keystone-spassword extend token data returned from keystone to user by “POST /v3/auth/tokens”, including new fields in 'extra' dictionary of 'token':
tras": {
"password_creation_time": "2016-12-01T08:55:34Z",
"pwd_user_in_blacklist": false,
"password_expiration_time": "2017-12-01T08:55:34Z",
"last_login_attempt_time": "2017-05-01T06:45:00Z"
},
h]
word=keystone_spassword.contrib.spassword.SPassword
and
ntity]
er=keystone_spassword.contrib.spassword.backends.sql.Identity
ter:spassword_checker]
e.filter_factory = keystone_spassword.contrib.spassword.routers:PasswordExtension.factory
ter:spassword_time]
e.filter_factory = keystone_spassword.contrib.spassword:PasswordMiddleware.factory
Restart Keystone server:
service openstack-keystone restart
Uncompress tgz file plugin into python site-packages directory. Make a soft link from keystone contrib directory to that directory. For more details see [RPM spec steps ][./keystone-spassword.spec).
There is a complete guide to install step by step keystone for development purposes:
https://github.com/telefonicaid/fiware-pep-steelskin/blob/master/keystoneInstallation.md
SPASSWORD extension reuses the authentication and authorization mechanisms provided by Keystone. This document assumes that the reader has previous experience with Keystone, but as a reference you can read more about the Keystone Authentication and Authorization mechanism in it's official documentation.
In any OS (Linux, OSX) with a sane build environment (basically with rpmbuild
installed), the RPM package can be built invoking the following command:
/package-keystone-spassword.sh
Local development (by default using sqlite
). Running a local development
server is useful to test a full featured Keystone server with SPASSWORD extension,
and installation is straightforward following these steps:
Setup a virtualenv (highly recommended).
ualenv .venv
Activate virtualenv
ce .venv/bin/activate
Download dependencies
install -r requirements.txt
install -r test-requirements.txt
install tox
Running tests (functional and unit tests)
-e py27
Setting up local development server. First populate database (remember that
this will use sqlite
).
tone-manage db_sync --extension spassword
Launch server
ONPATH=.:$PYTHONPATH keystone-all --config-dir etc