OpenStack Identity (keystone)

oslo.cache should offer encryption in a similar manner to keystonemiddleware

Bug #1578466 reported by Matt Fischer on 2016-05-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Won't Fix	Medium	Unassigned
	oslo.cache	Confirmed	Wishlist	Unassigned

Bug Description

Keystone middleware's caching of tokens offers HMAC validation and encryption of the tokens in the cache. This is important because memcache has literally zero authentication or protection from any user on the system. So this feature should be ported in from keystone middleware into keystone.

Encrypted caching implementation: https://opendev.org/openstack/keystonemiddleware/src/commit/0a65b1420799e7c7f8736e9f6c234f755ab5ac6b/keystonemiddleware/auth_token/_cache.py#L254-L297
Caching configuration via ksm: https://opendev.org/openstack/keystonemiddleware/src/commit/0a65b1420799e7c7f8736e9f6c234f755ab5ac6b/keystonemiddleware/auth_token/_opts.py#L113-L122

See original description

Tags:

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-05-05:

solid RFE

Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged

Steve Martinelli (stevemar) on 2016-11-15

tags:

added: security

Steve Martinelli (stevemar) on 2016-11-15

tags:

added: caching

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-06-03:

This is something we should build into oslo.cache. I have moved the bug to wont fix in keystone and added oslo.cache.

Changed in keystone:
status:	Triaged → Won't Fix
Changed in oslo.cache:
status:	New → Confirmed
summary:	- keystone token cache should offer encryption like the middleware cache - does + cache should offer encryption in a similar manner to keystonemiddleware + cache does
Changed in oslo.cache:
status:	Confirmed → New

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-06-03: Re: cache should offer encryption in a similar manner to keystonemiddleware cache does

This can be done as a backend or as a proxy fairly easily. Move this from keystone bug tracker as it is generally a good feature request.

Ben Nemec (bnemec) on 2018-08-29

Changed in oslo.cache:
status:	New → Confirmed
importance:	Undecided → Wishlist

Lance Bragstad (lbragstad) on 2019-08-30

summary:	- cache should offer encryption in a similar manner to keystonemiddleware - cache does + oslo.cache should offer encryption in a similar manner to + keystonemiddleware cache
summary:	oslo.cache should offer encryption in a similar manner to - keystonemiddleware cache + keystonemiddleware

Lance Bragstad (lbragstad) on 2019-09-04

description:

updated

Revision history for this message

Daniel Bengtsson (damani42) wrote on 2024-03-08:

Hi,

Do you have any update it's still relevant?

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2024-03-25:

I'm not too sure if we want to enable encryption for all cache data. Encryption is considered to have performance impact and if the data is not quite sensitive then encryption such data would be just redundant.

I don't block this work, but if we don't hear any other use cases where not having the common encryption mechanism causes pain and anyone is actually interested in bringing this functionality for further period, I'd close this as won't fix.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.