1. devstack
  2. Commit 3951a9449924f0e8ce962738bfe557f2b48085c7
Browse code

Configurable token hashing algorithm

The Keystone server and auth_token middleware were enhanced to
support a configurable hash algorithm.

With this change, the user can set

KEYSTONE_TOKEN_HASH_ALGORITHM=sha256

in their localrc to use the SHA256 algorithm rather than the
default md5. Any hash algorithm supported by Python's hashlib can
be used. The MD5 algorithm doesn't provide enough protection from
hash collisions and some security standards mandate a SHA2 hash
algorithm.

Change-Id: I8b373291ceb760a03c4c14aebfeb53d8d0dfbcc1
Closes-Bug: #1174499

Brant Knudson authored on 2014/08/25 08:54:51
Showing 2 changed files
lib/horizon
History View file @ 3951a94
... ... 
@@ -112,6 +112,9 @@ function init_horizon {
112 112
113 113 
     _horizon_config_set $local_settings "" OPENSTACK_HOST \"${KEYSTONE_SERVICE_HOST}\"
114 114 
     _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_URL "\"${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v2.0\""
115 
+    if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
116 
+        _horizon_config_set $local_settings "" OPENSTACK_TOKEN_HASH_ALGORITHM \""$KEYSTONE_TOKEN_HASH_ALGORITHM"\"
117 
+    fi
115 118
116 119 
     if [ -f $SSL_BUNDLE_FILE ]; then
117 120 
         _horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\"
lib/keystone
History View file @ 3951a94
... ... 
@@ -296,6 +296,10 @@ function configure_keystone {
296 296
297 297 
     iniset $KEYSTONE_CONF DEFAULT admin_workers "$API_WORKERS"
298 298 
     # Public workers will use the server default, typically number of CPU.
299 
+
300 
+    if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
301 
+        iniset $KEYSTONE_CONF token hash_algorithm "$KEYSTONE_TOKEN_HASH_ALGORITHM"
302 
+    fi
299 303 
 }
300 304
301 305 
 function configure_keystone_extensions {
... ... 
@@ -417,6 +421,9 @@ function configure_auth_token_middleware {
417 417 
     iniset $conf_file $section admin_user $admin_user
418 418 
     iniset $conf_file $section admin_password $SERVICE_PASSWORD
419 419 
     iniset $conf_file $section signing_dir $signing_dir
420 
+    if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
421 
+        iniset $conf_file keystone_authtoken hash_algorithms "$KEYSTONE_TOKEN_HASH_ALGORITHM"
422 
+    fi
420 423 
 }
421 424
422 425 
 # init_keystone() - Initialize databases, etc.