keystone.cmd.doctor package¶

Submodules¶

keystone.cmd.doctor.caching module¶

keystone.cmd.doctor.caching.symptom_caching_disabled()[source]¶

keystone.conf [cache] enabled is not enabled.

Caching greatly improves the performance of keystone, and it is highly recommended that you enable it.

keystone.cmd.doctor.caching.symptom_caching_enabled_without_a_backend()[source]¶

Caching is not completely configured.

Although caching is enabled in keystone.conf [cache] enabled, the default backend is still set to the no-op backend. Instead, configure keystone to point to a real caching backend like memcached.

keystone.cmd.doctor.credential module¶

keystone.cmd.doctor.credential.symptom_keys_in_credential_fernet_key_repository()[source]¶

Credential key repository is empty.

After configuring keystone to use the Fernet credential provider, you should use keystone-manage credential_setup to initially populate your key repository with keys, and periodically rotate your keys with keystone-manage credential_rotate.

keystone.cmd.doctor.credential.symptom_unique_key_repositories()[source]¶

Key repositories for encryption should be unique.

Even though credentials are encrypted using the same mechanism as Fernet tokens, they should have key repository locations that are independent of one another. Using the same repository to encrypt credentials and tokens can be considered a security vulnerability because ciphertext from the keys used to encrypt credentials is exposed as the token ID. Sharing a key repository can also lead to premature key removal during key rotation. This could result in indecipherable credentials, rendering them completely useless, or early token invalidation because the key that was used to encrypt the entity has been deleted.

Ensure keystone.conf [credential] key_repository and keystone.conf [fernet_tokens] key_repository are not pointing to the same location.

keystone.cmd.doctor.credential.symptom_usability_of_credential_fernet_key_repository()[source]¶

Credential key repository is not setup correctly.

The credential Fernet key repository is expected to be readable by the user running keystone, but not world-readable, because it contains security sensitive secrets.

keystone.cmd.doctor.database module¶

keystone.cmd.doctor.database.symptom_database_connection_is_not_SQLite()[source]¶

SQLite is not recommended for production deployments.

SQLite does not enforce type checking and has limited support for migrations, making it unsuitable for use in keystone. Please change your keystone.conf [database] connection value to point to a supported database driver, such as MySQL.

keystone.cmd.doctor.debug module¶

keystone.cmd.doctor.debug.symptom_debug_mode_is_enabled()[source]¶

Debug mode should be set to False.

Debug mode can be used to get more information back when trying to isolate a problem, but it is not recommended to be enabled when running a production environment.

Ensure keystone.conf debug is set to False

keystone.cmd.doctor.federation module¶

keystone.cmd.doctor.federation.symptom_comma_in_SAML_private_key_file_path()[source]¶

[saml] certfile should not contain a comma (,).

Because a comma is part of the API between keystone and the external xmlsec1 binary which utilizes the key, keystone cannot include a comma in the path to the private key file.

keystone.cmd.doctor.federation.symptom_comma_in_SAML_public_certificate_path()[source]¶

[saml] certfile should not contain a comma (,).

Because a comma is part of the API between keystone and the external xmlsec1 binary which utilizes the certificate, keystone cannot include a comma in the path to the public certificate file.

keystone.cmd.doctor.ldap module¶

keystone.cmd.doctor.ldap.symptom_LDAP_file_based_domain_specific_configs()[source]¶

Domain specific driver directory is invalid or contains invalid files.

If keystone.conf [identity] domain_specific_drivers_enabled is set to true, then support is enabled for individual domains to have their own identity drivers. The configurations for these can either be stored in a config file or in the database. The case we handle in this symptom is when they are stored in config files, which is indicated by keystone.conf [identity] domain_configurations_from_database being set to false.

keystone.cmd.doctor.ldap.symptom_LDAP_file_based_domain_specific_configs_formatted_correctly()[source]¶

LDAP domain specific configuration files are not formatted correctly.

If keystone.conf [identity] domain_specific_drivers_enabled is set to true, then support is enabled for individual domains to have their own identity drivers. The configurations for these can either be stored in a config file or in the database. The case we handle in this symptom is when they are stored in config files, which is indicated by keystone.conf [identity] domain_configurations_from_database being set to false. The config files located in the directory specified by keystone.conf [identity] domain_config_dir should be in the form of keystone.<domain_name>.conf and their contents should look something like this:

[ldap] url = ldap://ldapservice.thecustomer.com query_scope = sub

user_tree_dn = ou=Users,dc=openstack,dc=org user_objectclass = MyOrgPerson user_id_attribute = uid …

keystone.cmd.doctor.ldap.symptom_LDAP_group_members_are_ids_disabled()[source]¶

[ldap] group_members_are_ids is not enabled.

Because you’ve set keystone.conf [ldap] group_objectclass = posixGroup, we would have also expected you to enable set keystone.conf [ldap] group_members_are_ids because we suspect you’re using Open Directory, which would contain user ID’s in a posixGroup rather than LDAP DNs, as other object classes typically would.

keystone.cmd.doctor.ldap.symptom_LDAP_user_enabled_emulation_dn_ignored()[source]¶

[ldap] user_enabled_emulation_dn is being ignored.

There is no reason to set this value unless keystone.conf [ldap] user_enabled_emulation is also enabled.

keystone.cmd.doctor.ldap.symptom_LDAP_user_enabled_emulation_use_group_config_ignored()[source]¶

[ldap] user_enabled_emulation_use_group_config is being ignored.

There is no reason to set this value unless keystone.conf [ldap] user_enabled_emulation is also enabled.

keystone.cmd.doctor.security_compliance module¶

keystone.cmd.doctor.security_compliance.symptom_invalid_password_regular_expression()[source]¶

Invalid password regular expression.

The password regular expression is invalid and users will not be able to make password changes until this has been corrected.

Ensure [security_compliance] password_regex is a valid regular expression.

keystone.cmd.doctor.security_compliance.symptom_minimum_password_age_greater_than_expires_days()[source]¶

Minimum password age should be less than the password expires days.

If the minimum password age is greater than or equal to the password expires days, then users would not be able to change their passwords before they expire.

Ensure [security_compliance] minimum_password_age is less than the [security_compliance] password_expires_days.

keystone.cmd.doctor.security_compliance.symptom_password_regular_expression_description_not_set()[source]¶

Password regular expression description is not set.

The password regular expression is set, but the description is not. Thus, if a user fails the password regular expression, they will not receive a message to explain why their requested password was insufficient.

Ensure [security_compliance] password_regex_description is set with a description of your password regular expression in a language for humans.

keystone.cmd.doctor.tokens module¶

keystone.cmd.doctor.tokens.symptom_unreasonable_max_token_size()[source]¶

keystone.conf [DEFAULT] max_token_size should be adjusted.

This option is intended to protect keystone from unreasonably sized tokens, where “reasonable” is mostly dependent on the keystone.conf [token] provider that you’re using. If you’re using one of the following token providers, then you should set keystone.conf [DEFAULT] max_token_size accordingly:

• For UUID, set keystone.conf [DEFAULT] max_token_size = 32, because UUID tokens are always exactly 32 characters.
• For Fernet, set keystone.conf [DEFAULT] max_token_size = 255, because Fernet tokens should never exceed this length in most deployments. However, if you are also using keystone.conf [identity] driver = ldap, Fernet tokens may not be built using an efficient packing method, depending on the IDs returned from LDAP, resulting in longer Fernet tokens (adjust your max_token_size accordingly).

keystone.cmd.doctor.tokens_fernet module¶

keystone.cmd.doctor.tokens_fernet.symptom_keys_in_Fernet_key_repository()[source]¶

Fernet key repository is empty.

After configuring keystone to use the Fernet token provider, you should use keystone-manage fernet_setup to initially populate your key repository with keys, and periodically rotate your keys with keystone-manage fernet_rotate.

keystone.cmd.doctor.tokens_fernet.symptom_usability_of_Fernet_key_repository()[source]¶

Fernet key repository is not setup correctly.

The Fernet key repository is expected to be readable by the user running keystone, but not world-readable, because it contains security-sensitive secrets.

Module contents¶

keystone.cmd.doctor.diagnose()[source]¶

Report diagnosis for any symptoms we find.

Returns true when any symptoms are found, false otherwise.

keystone.cmd.doctor.gather_symptoms()[source]¶

Gather all of the objects in this module that are named symptom_*.