ISWest contracted CloudSand to develop the Advanced Password Management Engine
(APME). ISWest the owner and sponsor of APME, would like to donate the APME
feature to Apache CloudStack Community. Special thanks goes to ISWest -
Clayton Weise for supporting the Apache CloudStack Community and choosing to
donate this feature.
For technical design questions, please reach out to me directly via this
thread, or email me and CC Clayton Weise from ISWest.
Thanks
-ilya
Abstract:
Present versions of Apache CloudStack up until the latest version of 4.2 lack
secure and granular password management control for domain admins and domain
users.
Specifically, there is no way to enforce complex password rules, password
expiration and password history by domain admin for domain users. Moreover,
basic domain users cannot change their password, domain admin cannot lock and
reset the password for domain user within the same domain.
Current state:
This feature has been developed on 4.0 code based and will be thoroughly tested
in multiple environments. This feature will be ported to latest 4.2 code base
and tested yet again by ISWest and CloudSand.
Feature details and Specifications:
Exceptions:
0) Dont use APME if CloudStack is configured to use external source (ldap/ad),
display a friendly message on password manager page that this environment is
using external user authentication mechanism
1. Create a page under domain user admin tab to enforce password
complexity for domain users by domain admin
1. Enforce usage of
1. Upper case, lower case characters and digits
2. Special characters such as !@#$%^&*()
3. Password character limit must be greater than
"x"
4. Password expiration of every x number of days
for all users in domain
5. Avoid last X password previously used kept in
password history table
6. Dont apply the password manager rule set on
specific users separated by coma in a field (for
service accounts in mind)
1. Enable ability for domain admin to change the password of domain
users
2. Enable ability for domain user to reset his password
3. APME task is configurable via global settings
4. Global customizable email notification is configured via global
settings with username and domain and password expiration date
in email body - passed on as attribute, i.e. <username>,<password>,
<domain>, etc..
Conditions:
Rules apply to each cloudstack domain, each domain may have different rules
If new password complexity is defined on applicable existing user base, it will
take effect on the next APME job execution. The password complexity rules will
be effective immediately - if user was to change his password in the UI.
All users will get email notification that they have to change their password
upon login to CS within grace period, set to -1 if you need immediate change,
takes effect next time APME task is ran
If user changes the password prior to expiration, mark the change in table that
user has reset the password
If complexity to password management has been relaxed from more restrictive set
- do nothing
If new user is added and APME is enabled, user must adhere to APME rule set
Notification rules:
Email the user daily prior to the password is expiring and to notify that user
needs to reset the password. The advanced email notification rule is configured
in global settings
Display an event on users page that password is expiring in X days
