Browse code
Improve OpenStack performance by redcuing bcrypt hasing rounds number
Reduce bcrypt hashing rounds from 12 to 4 (minimal possilbe).
This is going to imporve a lot of perforamcne of OpenStack.
Bcrypt is hashing algorithm that is designed to use a lot of resources and
in that way stops brutforce attacks. It's exponential algorithm that depends
on amount of rounds. By default they use 12 rounds which is quite high value,
good enough for real secure production enviorments.
In case of DevStack it's going to slow down all authentication by many times.
Rally shows about 5 times slownest (adding 2-5 seconds to every authenticate)
DevStack is meant for developemnt & CI so performance is way more important than
security.
Change-Id: Id8c763d63cb91f37a774f9400f35c309f37d6f12
Boris Pavlovic authored on 2017/06/13 09:08:33Showing 1 changed files
| ... | ... |
@@ -127,6 +127,12 @@ KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2}
|
| 127 | 127 |
KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5}
|
| 128 | 128 |
KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2}
|
| 129 | 129 |
|
| 130 |
+# Number of bcrypt hashing rounds, increasing number exponentially increases required |
|
| 131 |
+# resources to generate password hash. This is very effective way to protect from |
|
| 132 |
+# bruteforce attacks. 4 is minimal value that can be specified for bcrypt and |
|
| 133 |
+# it works way faster than default 12. Minimal value is great for CI and development |
|
| 134 |
+# however may not be suitable for real production. |
|
| 135 |
+KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4}
|
|
| 130 | 136 |
|
| 131 | 137 |
# Functions |
| 132 | 138 |
# --------- |
| ... | ... |
@@ -225,6 +231,7 @@ function configure_keystone {
|
| 225 | 225 |
fi |
| 226 | 226 |
|
| 227 | 227 |
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND" |
| 228 |
+ iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS |
|
| 228 | 229 |
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND" |
| 229 | 230 |
iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND" |
| 230 | 231 |
iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND" |