OpenStack Keystone Charm

[RFE] Support Credential Encryption Configuration

Bug #1758936 reported by Dmitrii Shcherbakov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
Wishlist
Unassigned
OpenStack Keystone Charm 18.08

Bug Description

https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html

A prerequisite for that would be: https://bugs.launchpad.net/charms/+source/keystone/+bug/1514187

This is mostly relevant for non-federated scenarios where password hashes are stored in a SQL database.

With federated identity this is only needed for service accounts.

Tags: cpe-onsite
James Page (james-page)
Changed in charm-keystone:
status: New → Triaged
importance: Undecided → Wishlist
Frode Nordahl (fnordahl)
Changed in charm-keystone:
milestone: none → 18.08
status: Triaged → Fix Committed
Revision history for this message
Frode Nordahl (fnordahl) wrote :

Initial support for this was added as a part of our implementation of support for Fernet tokens [0].

However, it is worth noting that this only affects the credentials stored in the `credential` table through the use of the Credential API [1].

The passwords for individual users in the directory is already stored using a salted one way hash in the `password` table. [2].

0: https://review.openstack.org/#/q/topic:fernet-keystone-charm+(status:open+OR+status:merged)
1: https://developer.openstack.org/api-ref/identity/v3/#credentials
2: https://github.com/openstack/keystone/blob/d80c260b386dbe6232b1943037739d134855a25e/keystone/common/password_hashing.py

David Ames (thedac)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.