Skip to content

Password Expiration Policy

Before you start

Goal

  • Define an appropriate password expiration policy for internal Altair SLC Hub users

By default, passwords for internal Altair SLC Hub users (that is, ones that are not imported from LDAP) do not expire. However, to comply with any corporate password standards that may exist, Altair SLC Hub allows the password expiration policy to be configured.

Configuration

The password validation policy is configured using the auth.passwordExpirationPolicy configuration section.

To create a custom password expiration policy, create a new configuration file in the etc/config.d directory with a name such as passwordpolicy.yaml, with contents such as:

auth:
    passwordExpirationPolicy:
      enabled: true
      changeInterval: 30

An example configuration, along with comments on the configuration settings can be found in the etc/config.d/auth.yaml configuration file.

Note that the configuration files in the etc/config.d directory are read in alphabetical order. However, there are no explicit settings in any installation supplied configuration files relating to the password expiration policy, so the name of the file containing any custom password expiration policy does not have to be alphabetically later than auth.yaml for it to have an effect.

Configuration Settings

enabled

Whether the password expiration policy is enabled. By default the password expiration policy is not enabled.

changeInterval

Specifies how often a user is required to change their password. This is a count of days (defined as whole 24 hour periods).

warnInterval

Specifies how long before a password reset is required a user be notified. This is a count of days (whole 24 hour periods)

Restart Altair SLC Hub

Having changed the password validation configuration, first verify that the configuration is read from the files correctly using the hubctl config print command:

hubctl config print auth.passwordValidityPolicy

It is then necessary to restart the authentication service in order for the change in configuration to have an effect. Restart the service using the following command:

hubctl service restart auth