Public | Automated Build

Last pushed: 4 hours ago
Short Description
Full Description

Keystone SPASSWORD extension

Keystone SPASSWORD is an OpenStack Keystone extension that enables
some extra security checks over user passwords, as force the usage of strong passwords,
expiration time for a password, number of bad login attempts before user account became temporarily blocked,
a recover procedure password, a second factor authentication (2FA) and so on.


RPM installing on RDO Openstack

Installing from RPM is pretty straightforward:

rpm -Uvh keystone-spassword-*.noarch.rpm

Once installed you can fine-tune options (out-of-the box the
installation configures default values for that options at /etc/keystone/keystone.conf).

enabled = true
pwd_exp_days = 365
pwd_max_tries = 5
pwd_block_minutes = 30
pwd_user_blacklist = user_id_list
smtp_server = ''
smtp_port = 587
smtp_tls = true
smtp_user = ''
smtp_password = 'yourpassword'
smtp_from = 'smtpuser'

keystone-spassword enables two new authentication and identity plugins, which extends
default provided plugins to ensure the use of strong passwords, to check expiration time
and to control the number of tries that an user can use badly their password before be blocked.
This way keystone-spassword extend token data returned from keystone to user by
"POST /v3/auth/tokens", including new fields in 'extra' dictionary of 'token':

 "extras": {
     "password_creation_time": "2016-12-01T08:55:34Z",
     "pwd_user_in_blacklist": false,
     "password_expiration_time": "2017-12-01T08:55:34Z",
     "last_login_attempt_time": "2017-05-01T06:45:00Z"


paste.filter_factory = keystone_spassword.contrib.spassword.routers:PasswordExtension.factory

paste.filter_factory = keystone_spassword.contrib.spassword:PasswordMiddleware.factory

Restart Keystone server:

sudo service openstack-keystone restart

TGZ installaton

Uncompress tgz file plugin into python site-packages directory.
Make a soft link from keystone contrib directory to that directory.
For more details see [RPM spec steps ][./keystone-spassword.spec).

Install Keystone

There is a complete guide to install step by step keystone for development purposes:


SPASSWORD extension reuses the authentication and authorization mechanisms provided
by Keystone. This document assumes that the reader has previous experience
with Keystone, but as a reference you can read more about the Keystone
Authentication and Authorization mechanism in it's
official documentation.

Building and packaging

In any OS (Linux, OSX) with a sane build environment (basically with rpmbuild
installed), the RPM package can be built invoking the following command:

sh ./


Local development (by default using sqlite). Running a local development
server is useful to test a full featured Keystone server with SPASSWORD extension,
and installation is straightforward following these steps:

Setup a virtualenv (highly recommended).

virtualenv .venv

Activate virtualenv

source .venv/bin/activate

Download dependencies

pip install -r requirements.txt
pip install -r test-requirements.txt
pip install tox

Running tests (functional and unit tests)

tox -e py27

Setting up local development server. First populate database (remember that
this will use sqlite).

keystone-manage db_sync --extension spassword

Launch server

PYTHONPATH=.:$PYTHONPATH keystone-all --config-dir etc

LDAP integration

Second Factor Authentication

Docker Pull Command