Skip to main content

Overview

Xloud Identity is the authentication and authorization backbone for the entire platform. Hardening this service reduces the blast radius of credential compromise, limits lateral movement across projects, and ensures audit trails are maintained. This guide covers the complete security hardening checklist for production Identity deployments.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

Security Hardening Checklist

Enforce MFA for Admins

Require multi-factor authentication for all accounts with the admin role. Configure an MFA enforcement rule via the Identity service policy to block admin token issuance without a valid TOTP factor.

Rotate Fernet Keys

Schedule automated key rotation every 24 hours. XDeploy includes a cron-based rotation playbook that synchronizes keys across all Identity API nodes simultaneously.

Minimize Token Lifetime

Set keystone_token_expiration to 3600 seconds (1 hour) or less. Use application credentials with explicit expiry dates for automation pipelines instead of long-lived user tokens.

Audit Role Assignments

Review role assignments quarterly. Remove the admin role from any account that no longer requires elevated access. Export full audit reports regularly.

MFA Enforcement Policy

Enforce MFA for all accounts with the admin role by configuring an auth rules policy:
/etc/xavs/keystone/policy.yaml — enforce MFA for admin token issuance
"identity:get_auth_token": "rule:admin_required and (rule:mfa_enabled or not role:admin)"
After applying, admin accounts without MFA enrolled cannot issue tokens:
Apply MFA enforcement policy
xavs-ansible deploy --tags keystone
Enforce MFA in a staged rollout. Ensure all admin accounts have enrolled a TOTP device before applying the policy — otherwise admin accounts will be locked out.

Fernet Key Security

Verify key file permissions

Fernet keys must be readable only by the Identity service user:
Check key file permissions
ls -la /var/lib/kolla/config_files/fernet-keys/
Expected: 600 keystone:keystone for all key files.

Configure automated rotation

XDeploy globals: automated Fernet rotation
keystone_fernet_key_rotation: "0 */24 * * *"
keystone_fernet_max_active_keys: 3
Deploy to activate:
Apply rotation configuration
xavs-ansible deploy --tags keystone

Verify rotation is running

Check rotation cron job
docker exec keystone crontab -l
Cron job is scheduled and shows the configured rotation interval.

Role Assignment Auditing

Run quarterly access reviews to identify over-provisioned accounts:
Export all role assignments
openstack role assignment list --names \
  -f csv > role-assignments-$(date +%Y%m%d).csv
Find all admin role assignments
openstack role assignment list \
  --role admin \
  --names
Find users with admin role in multiple projects
openstack role assignment list \
  --role admin \
  --names | grep -v "system"
Use the reader role for monitoring and dashboard accounts — it provides the visibility they need without write access. Reserve admin for accounts that genuinely require resource management capabilities.

Network-Level Controls

Restrict Identity API access

The Identity API public endpoint (port 5000) should be accessible only from:
  • Internal cluster networks
  • VPN or bastion hosts for administrative access
  • Dashboard and CLI clients via HAProxy
Configure HAProxy ACLs to block direct public access to the admin interface.
Ensure all Identity API endpoints use TLS with certificates from a trusted CA:
XDeploy globals: TLS configuration
kolla_enable_tls_external: "yes"
kolla_external_tls_cert: /etc/xavs/certs/external.crt
kolla_external_tls_key: /etc/xavs/certs/external.key

Next Steps

Token Configuration

Configure Fernet key rotation schedules and token lifetime policies.

Policy Management

Customize RBAC policies and implement least-privilege access controls.

Multi-Factor Authentication

Enable TOTP enrollment for user accounts.

Admin Troubleshooting

Diagnose security-related authentication and authorization failures.