OpenStack Identity (keystone)

  1. Bug #1174499
  2. Comment #46

Comment 46 for bug 1174499

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to django_openstack_auth (master)

Reviewed: https://review.openstack.org/116509
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=ed1e31eca6cd34677feb6674973c4f8989b2b4e4
Submitter: Jenkins
Branch: master

commit ed1e31eca6cd34677feb6674973c4f8989b2b4e4
Author: Brant Knudson <email address hidden>
Date: Sat Aug 23 11:35:25 2014 -0500

    Configurable token hashing algorithm

    The user's authentication token was hashed using the MD5 algorithm.
    The MD5 algorithm shouldn't be used because of the potential for
    hash collisions. Some security standards mandate a SHA2 algorithm
    or better must be used.

    With this change the algorithm to use for hashing tokens can be
    configured by setting the OPENSTACK_TOKEN_HASH_ALGORITHM
    configuration option to a hash algorithm supported by Python's
    hashlib library[1]. For example, a deployer could set the option to
    'sha256' to meet a SHA2 security standard.

    The algorithm chosen must match the hash algorithm that the
    identity server is configured to use (Keystone and the auth_token
    middleware can be configured to use any hash algorithm supported by
    hashlib).

    This is for security hardening.

    [1] https://docs.python.org/2/library/hashlib.html

    DocImpact
    SecurityImpact

    Change-Id: I9e3eba7e0a12ae40a08d0ed851ea916ec6591bcc
    Closes-Bug: #1174499