OpenStack Identity (keystone)

pci dss

Registered by Ron De Rose

Payment Card Industry - Data Security Standard (PCI-DSS) v3.1 provides an industry standard for data security requirements and procedures. Although keystone deals with sensitive data (primarily passwords), it has not made any attempt to provide PCI-compliant tools to deployers for fear of re-implementing more mature identity management solutions. At the same time, deployers are taking on the additional burden of either deploying those fully featured identity management solutions just to support keystone, or are re-implementing these behaviors on top of keystone without community support.

Blueprint information

Status:
Complete
Approver:
Steve Martinelli
Priority:
High
Drafter:
Dolph Mathews
Direction:
Approved
Assignee:
Ron De Rose
Definition:
Approved
Series goal:
Accepted for newton
Implementation:
Implemented
Milestone target:
milestone icon newton-3
Started by
Steve Martinelli
Completed by
Samuel de Medeiros Queiroz

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/pci-dss,n,z

Addressed by: https://review.openstack.org/314284
    PCI-DSS Password SQL model changes

Addressed by: https://review.openstack.org/320586
    PCI-DSS Password strength requirements

Addressed by: https://review.openstack.org/328339
    PCI-DSS Password history requirements

Addressed by: https://review.openstack.org/328447
    PCI-DSS Disable inactive users requirements

Addressed by: https://review.openstack.org/333360
    PCI-DSS Password expires validation

Addressed by: https://review.openstack.org/336318
    PCI-DSS Adds password_expires_at to API docs

Addressed by: https://review.openstack.org/340074
    PCI-DSS Lockout requirements

Gerrit topic: https://review.openstack.org/#q,topic:bp/pci-dss-patch55,n,z

Addressed by: https://review.openstack.org/340964
    PCI-DSS Adds password_expires_at to API specs

Addressed by: https://review.openstack.org/341150
    Address follow on comments 328447

Gerrit topic: https://review.openstack.org/#q,topic:(detached,n,z

Addressed by: https://review.openstack.org/343314
    PCI-DSS Minimum password age requirements

Addressed by: https://review.openstack.org/348915
    PCI-DSS Limit password changes per day

Gerrit topic: https://review.openstack.org/#q,topic:errors,n,z

Addressed by: https://review.openstack.org/350069
    Use %()d for integer substitution

Addressed by: https://review.openstack.org/351749
    Password expires ignore user list

Addressed by: https://review.openstack.org/355095
    Fix nits in PCI-DSS Minimum password age requirements

Gerrit topic: https://review.openstack.org/#q,topic:password-expires-ignore-list,n,z

Gerrit topic: https://review.openstack.org/#q,topic:pci-dss,n,z

Addressed by: https://review.openstack.org/403916
    PCI-DSS Force users to immediately change their password upon first use

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.