Enable password complexity check and complex password generation in Nova

Registered by Zhenyu Zheng

When performing actions such as create instances, evacuate instances, rebuild instances, rescue instances and update instances' admin password. The complexity of user provided admin password has not been verified. This can cause security problems.

When the user dose not provide admin password, generate_password() in utils.py is used to generate an admin password. Generate_password() now uses two password symbol groups: default and easier, the default symbol group contains numbers, upper case letters and small case letters. the easier symbol group contains only numbers and upper case letters. The generated password is not complex enough and also can cause security problems.

One solution for the first problem will be adding a configuration option: using_complex_admin_password = True, if this option is set in configure file by administrator, then Nova will perform password complexity checks, the check standards can be set to following the IT industry general standard, if the provided admin password is not complex enough, an exception will be throw. If this option is not set in configure file, then the complexity check will be skipped.

One possible solution to the second problem is to add a new symbol group: STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters, lower case letters and also special characters such as `~!@#$%^&*()-_=+ and space. Then adding a new option in configuration file: generate_strong_password = True, when this option is set, nova will generate password using STRONGER_PASSWORD_SYMBOLS symbol group and with longer password length. If this option is not set, the password will be generated using the default symbol group and default length.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Zhenyu Zheng
Direction:
Needs approval
Assignee:
Zhenyu Zheng
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/password-complexity-check,n,z

Addressed by: https://review.openstack.org/192041
    Enable admin password complexity checks

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.