oslo.cache should offer encryption in a similar manner to keystonemiddleware

Bug #1578466 reported by Matt Fischer on 2016-05-05
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Unassigned
oslo.cache
Wishlist
Unassigned

Bug Description

Keystone middleware's caching of tokens offers HMAC validation and encryption of the tokens in the cache. This is important because memcache has literally zero authentication or protection from any user on the system. So this feature should be ported in from keystone middleware into keystone.

Encrypted caching implementation: https://opendev.org/openstack/keystonemiddleware/src/commit/0a65b1420799e7c7f8736e9f6c234f755ab5ac6b/keystonemiddleware/auth_token/_cache.py#L254-L297
Caching configuration via ksm: https://opendev.org/openstack/keystonemiddleware/src/commit/0a65b1420799e7c7f8736e9f6c234f755ab5ac6b/keystonemiddleware/auth_token/_opts.py#L113-L122

Steve Martinelli (stevemar) wrote :

solid RFE

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
tags: added: security
tags: added: caching
Morgan Fainberg (mdrnstm) wrote :

This is something we should build into oslo.cache. I have moved the bug to wont fix in keystone and added oslo.cache.

Changed in keystone:
status: Triaged → Won't Fix
Changed in oslo.cache:
status: New → Confirmed
summary: - keystone token cache should offer encryption like the middleware cache
- does
+ cache should offer encryption in a similar manner to keystonemiddleware
+ cache does
Changed in oslo.cache:
status: Confirmed → New

This can be done as a backend or as a proxy fairly easily. Move this from keystone bug tracker as it is generally a good feature request.

Ben Nemec (bnemec) on 2018-08-29
Changed in oslo.cache:
status: New → Confirmed
importance: Undecided → Wishlist
summary: - cache should offer encryption in a similar manner to keystonemiddleware
- cache does
+ oslo.cache should offer encryption in a similar manner to
+ keystonemiddleware cache
summary: oslo.cache should offer encryption in a similar manner to
- keystonemiddleware cache
+ keystonemiddleware
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers