Password Complexity Policy

Overview

Hydrolix can enforce a password complexity policy for your users. There are two settings that control this feature:

Setting NameTypeDefaultDescription
enable_password_complexity_policybooleanfalseEnables and disables stricter password creation rules
password_expiration_policynon-negative integer(No expiration)Number of days allowed between password changes

Password Complexity Requirements

Once enable_password_complexity_policy is activated, your Hydrolix cluster will enforce these rules:

  • Minimum Length: 8 characters
  • Uppercase Characters: At least 1
  • Lowercase Characters: At least 1
  • Digits: At least 1
  • Special Characters: At least 1
  • Not Recently Used: The past 24 passwords
  • Not Username: Not the same as your username
  • Not Email: Not the same as your email

How to Enable Password Complexity Requirements

  1. Make sure that the existing user passwords in your account conform to the Password Complexity Requirements stated above.

  2. Run the update_passwords script. Replace <your_namespace> with the appropriate value.

    kubectl --namespace <your_namespace> -c turbine-api exec -it $(kubectl get pods | grep ^turbine-api | awk '{print $1}') -- python3 manage.py update_passwords
    
  3. Delete any turbine-api init jobs and restart the operator. Make sure you replace <your_namespace> below with your Kubernetes namespace:

    kubectl get jobs -n <your_namespace> | grep init-turbine-api | awk '{print $1}' | xargs -I {} kubectl delete job {}
    kubectl rollout restart deployment operator
    
  4. Restart the turbine-api and query-head deployments:

    kubectl rollout restart deployment query-head turbine-api
    

    Warnings about duplicate environment variable names when running the above command can be safely ignored.

  5. Add the two settings to your hydrolixcluster.yaml file. For example, to turn the feature on while specifying a 90-day password expiration policy:

    spec:
      ...
      enable_password_complexity_policy: true
      password_expiration_policy: 90
      ...