taikun.cloud

Taikun Logo

Taikun OCP Guide

Table of Contents

Resource Options

A resource option is an attribute that can be optionally set on an
entity in keystone. These options are used to control specific features
or behaviors within keystone. This allows flexibility on a per-resource
basis as opposed to settings a configuration file value that controls a
behavior for all resources in a deployment.

This flexibility can be useful for deployments is setting different
authentication requirements for users. For example, operators can use
resource options to set the number of failed authentication attempts on
a per-user basis as opposed to setting a global value that is applied to
all users.

The purpose of this document is to formally document the supported
resource options used in keystone, their intended behavior, and how to
use them.

User Options

The following options are available on user resources. If left
undefined, they are assumed to be false or disabled.

These can be set either in the initial user creation
(POST /v3/users) or by updating an existing user to include
new options (PATCH /v3/users/{user_id}):

{
    "user": {
        "options": {
            "ignore_lockout_failure_attempts": true
        }
    }
}

Note

User options of the Boolean type can be set to
True, False, or None; if the
option is set to None, it is removed from the user’s data
structure.

ignore_user_inactivity

Type: Boolean

Opt into ignoring global inactivity lock settings defined in
keystone.conf [security_compliance] on a per-user basis.
Setting this option to True will make users not set as
disabled even after the globally configured inactivity period is
reached.

{
    "user": {
        "options": {
            "ignore_user_inactivity": true
        }
    }
}

Note

Setting this option for users which are already disabled will not
make them automatically enabled. Such users must be enabled manually
after setting this option to True for them.

See the security compliance
documentation
for more details.

ignore_change_password_upon_first_use

Type: Boolean

Control if a user should be forced to change their password
immediately after they log into keystone for the first time. This can be
useful for deployments that auto-generate passwords but want to ensure a
user picks a new password when they start using the deployment.

{
    "user": {
        "options": {
            "ignore_change_password_upon_first_use": true
        }
    }
}

See the security compliance documentation
<security_compliance>
for more details.

ignore_password_expiry

Type: Boolean

Opt into ignoring global password expiration settings defined in
keystone.conf [security_compliance] on a per-user basis.
Setting this option to True will allow users to continue
using passwords that may be expired according to global configuration
values.

{
    "user": {
        "options": {
            "ignore_password_expiry": true
        }
    }
}

See the security compliance documentation
<security_compliance>
for more details.

ignore_lockout_failure_attempts

Type: Boolean

If True, opt into ignoring the number of times a user
has authenticated and locking out the user as a result.

{
    "user": {
        "options": {
            "ignore_lockout_failure_attempts": true
        }
    }
}

See the security compliance documentation
<security_compliance>
for more details.

lock_password

Type: Boolean

If set to True, this option disables the ability for
users to change their password through self-service APIs.

{
    "user": {
        "options": {
            "lock_password": true
        }
    }
}

See the security compliance documentation
<security_compliance>
for more details.

multi_factor_auth_enabled

Type: Boolean

Specify if a user has multi-factor authentication enabled on their
account. This will result in different behavior at authentication time
and the user may be presented with different authentication requirements
based on multi-factor configuration.

{
    "user": {
        "options": {
            "multi_factor_auth_enabled": true
        }
    }
}

See multi_factor_authentication for further details.

multi_factor_auth_rules

Type: List of Lists of Strings

Define a list of strings that represent the methods required for a
user to authenticate.

{
    "user": {
        "options": {
            "multi_factor_auth_rules": [
                ["password", "totp"],
                ["password", "u2f"]
            ]
        }
    }
}

See multi_factor_authentication for further details.

Role Options

The following options are available on role resources. If left
undefined, they are assumed to be false or disabled.

immutable

Type: Boolean

Specify whether a role is immutable. An immutable role may not be
deleted or modified except to remove the immutable
option.

{
    "role": {
        "options": {
            "immutable": true
        }
    }
}

Project Options

The following options are available on project resources. If left
undefined, they are assumed to be false or disabled.

immutable

Type: Boolean

Specify whether a project is immutable. An immutable project may not
be deleted or modified except to remove the immutable
option.

{
    "project": {
        "options": {
            "immutable": true
        }
    }
}

Domain Options

The following options are available on domain resources. If left
undefined, they are assumed to be false or disabled.

immutable

Type: Boolean

Specify whether a domain is immutable. An immutable domain may not be
deleted or modified except to remove the immutable
option.

{
    "domain": {
        "options": {
            "immutable": true
        }
    }
}