From 3951a9449924f0e8ce962738bfe557f2b48085c7 Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Sun, 24 Aug 2014 18:54:51 -0500 Subject: [PATCH] Configurable token hashing algorithm The Keystone server and auth_token middleware were enhanced to support a configurable hash algorithm. With this change, the user can set KEYSTONE_TOKEN_HASH_ALGORITHM=sha256 in their localrc to use the SHA256 algorithm rather than the default md5. Any hash algorithm supported by Python's hashlib can be used. The MD5 algorithm doesn't provide enough protection from hash collisions and some security standards mandate a SHA2 hash algorithm. Change-Id: I8b373291ceb760a03c4c14aebfeb53d8d0dfbcc1 Closes-Bug: #1174499 --- lib/horizon | 3 +++ lib/keystone | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/lib/horizon b/lib/horizon index a422529d06..c0c3f821e4 100644 --- a/lib/horizon +++ b/lib/horizon @@ -112,6 +112,9 @@ function init_horizon { _horizon_config_set $local_settings "" OPENSTACK_HOST \"${KEYSTONE_SERVICE_HOST}\" _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_URL "\"${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v2.0\"" + if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then + _horizon_config_set $local_settings "" OPENSTACK_TOKEN_HASH_ALGORITHM \""$KEYSTONE_TOKEN_HASH_ALGORITHM"\" + fi if [ -f $SSL_BUNDLE_FILE ]; then _horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\" diff --git a/lib/keystone b/lib/keystone index 2b2f31c773..06f673559e 100644 --- a/lib/keystone +++ b/lib/keystone @@ -296,6 +296,10 @@ function configure_keystone { iniset $KEYSTONE_CONF DEFAULT admin_workers "$API_WORKERS" # Public workers will use the server default, typically number of CPU. + + if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then + iniset $KEYSTONE_CONF token hash_algorithm "$KEYSTONE_TOKEN_HASH_ALGORITHM" + fi } function configure_keystone_extensions { @@ -417,6 +421,9 @@ function configure_auth_token_middleware { iniset $conf_file $section admin_user $admin_user iniset $conf_file $section admin_password $SERVICE_PASSWORD iniset $conf_file $section signing_dir $signing_dir + if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then + iniset $conf_file keystone_authtoken hash_algorithms "$KEYSTONE_TOKEN_HASH_ALGORITHM" + fi } # init_keystone() - Initialize databases, etc.