tripleo

Default password hashing algorithm in Keystone is suboptimal for large scale deployments

Bug #1871347 reported by Bogdan Dobrelya on 2020-04-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Expired	High	Unassigned

Bug Description

The default password hash bcrypt [0], since pike, has drastic degradations impacts on the overall scalability.

We need to change default password_hash_algorithm in hiera to pbkdf2_sha512. The user passwords need to be reset to take full effect.

[0] https://opendev.org/openstack/keystone/src/branch/master/keystone/conf/identity.py#L114

Tags:

Bogdan Dobrelya (bogdando) on 2020-04-07

Changed in tripleo:
importance:	Undecided → High
milestone:	none → ussuri-3
status:	New → Triaged
tags:	added: queens-backport-potential stein-backport-potential train-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-07: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/718015

Changed in tripleo:
assignee:	nobody → Bogdan Dobrelya (bogdando)
status:	Triaged → In Progress

Revision history for this message

Bogdan Dobrelya (bogdando) wrote on 2020-04-07: Re: Default password hashing algorithm in Keystone is suboptimal

to complete updates/upgrades automation, we should add optionally rotation for https://opendev.org/openstack/tripleo-ansible/src/branch/master/tripleo_ansible/playbooks/cli-update-deployment-plan.yaml

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-07: Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/718055

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-07: Related fix proposed to python-tripleoclient (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/718082

Bogdan Dobrelya (bogdando) on 2020-04-07

tags:	added: edge
summary:	- Default password hashing algorithm in Keystone is suboptimal + Default password hashing algorithm in Keystone is suboptimal for large + scale deployments

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-08: Related fix proposed to tripleo-docs (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/718443

wes hayutin (weshayutin) on 2020-04-13

Changed in tripleo:
milestone:	ussuri-3 → ussuri-rc3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-16: Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/718055
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=4349466878b52a233abef64a1904a9bc3ce63f4c
Submitter: Zuul
Branch: master

commit 4349466878b52a233abef64a1904a9bc3ce63f4c
Author: Bogdan Dobrelya <email address hidden>
Date: Tue Apr 7 12:55:28 2020 +0200

Allow passwords to be reset (force rotated)

Sometimes, passwords has to be force-updated. Allow
doing that via cli-update-deployment-plan playbook.

Related-Bug: #1871347

Change-Id: I2644e5a75abf94b3150011956bad9304e0de7cdb
Signed-off-by: Bogdan Dobrelya <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-07: Change abandoned on python-tripleoclient (master)

Change abandoned by Bogdan Dobrelya (bogdando) (<email address hidden>) on branch: master
Review: https://review.opendev.org/718082

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-07: Change abandoned on tripleo-heat-templates (master)

Change abandoned by Bogdan Dobrelya (bogdando) (<email address hidden>) on branch: master
Review: https://review.opendev.org/718015

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-07: Change abandoned on tripleo-docs (master)

Change abandoned by Bogdan Dobrelya (bogdando) (<email address hidden>) on branch: master
Review: https://review.opendev.org/718443

Bogdan Dobrelya (bogdando) on 2020-05-07

Changed in tripleo:
status:	In Progress → Triaged
assignee:	Bogdan Dobrelya (bogdando) → nobody

wes hayutin (weshayutin) on 2020-05-26

Changed in tripleo:
milestone:	ussuri-rc3 → victoria-1

Emilien Macchi (emilienm) on 2020-07-28

Changed in tripleo:
milestone:	victoria-1 → victoria-3

Marios Andreou (marios-b) on 2020-11-03

Changed in tripleo:
milestone:	victoria-3 → wallaby-1

Marios Andreou (marios-b) on 2020-12-08

Changed in tripleo:
milestone:	wallaby-1 → wallaby-2

Marios Andreou (marios-b) on 2021-01-29

Changed in tripleo:
milestone:	wallaby-2 → wallaby-3

Marios Andreou (marios-b) on 2021-03-17

Changed in tripleo:
milestone:	wallaby-3 → wallaby-rc1

Marios Andreou (marios-b) on 2021-05-06

Changed in tripleo:
milestone:	wallaby-rc1 → xena-1

Revision history for this message

Marios Andreou (marios-b) wrote on 2021-05-07:

#10

This is an automated action. Bug status has been set to 'Incomplete' and target milestone has been removed due to inactivity. If you disagree please re-set these values and reach out to us on freenode #tripleo

Changed in tripleo:
milestone:	xena-1 → none
status:	Triaged → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-07-07:

#11

[Expired for tripleo because there has been no activity for 60 days.]

Changed in tripleo:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.