Configurable token hashing algorithm
The Keystone server and auth_token middleware were enhanced to
support a configurable hash algorithm.
With this change, the user can set
KEYSTONE_TOKEN_HASH_ALGORITHM=sha256
in their localrc to use the SHA256 algorithm rather than the
default md5. Any hash algorithm supported by Python's hashlib can
be used. The MD5 algorithm doesn't provide enough protection from
hash collisions and some security standards mandate a SHA2 hash
algorithm.
Change-Id: I8b373291ceb760a03c4c14aebfeb53d8d0dfbcc1
Closes-Bug: #1174499
diff --git a/lib/horizon b/lib/horizon
index a422529..c0c3f82 100644
--- a/lib/horizon
+++ b/lib/horizon
@@ -112,6 +112,9 @@
_horizon_config_set $local_settings "" OPENSTACK_HOST \"${KEYSTONE_SERVICE_HOST}\"
_horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_URL "\"${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v2.0\""
+ if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
+ _horizon_config_set $local_settings "" OPENSTACK_TOKEN_HASH_ALGORITHM \""$KEYSTONE_TOKEN_HASH_ALGORITHM"\"
+ fi
if [ -f $SSL_BUNDLE_FILE ]; then
_horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\"
diff --git a/lib/keystone b/lib/keystone
index 2b2f31c..06f6735 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -296,6 +296,10 @@
iniset $KEYSTONE_CONF DEFAULT admin_workers "$API_WORKERS"
# Public workers will use the server default, typically number of CPU.
+
+ if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
+ iniset $KEYSTONE_CONF token hash_algorithm "$KEYSTONE_TOKEN_HASH_ALGORITHM"
+ fi
}
function configure_keystone_extensions {
@@ -417,6 +421,9 @@
iniset $conf_file $section admin_user $admin_user
iniset $conf_file $section admin_password $SERVICE_PASSWORD
iniset $conf_file $section signing_dir $signing_dir
+ if [[ -n "$KEYSTONE_TOKEN_HASH_ALGORITHM" ]]; then
+ iniset $conf_file keystone_authtoken hash_algorithms "$KEYSTONE_TOKEN_HASH_ALGORITHM"
+ fi
}
# init_keystone() - Initialize databases, etc.