[openstack-dev] Keystone Hashing MD5 to SHA256
tristan.cacqueray at enovance.com
Mon Jan 6 16:00:33 UTC 2014
On 01/06/2014 04:19 PM, Adam Young wrote:
> If it were as easy as just replaceing hteh hash algorithm, we would
> have done it a year + ago. I'm guessing you figured that by now.
> Here is the deal: We need to be able to make things work side by side.
> Not sure how to do that, but I think the right solution is to make
> keystone configurable first, so that you can set the hashing algorithm
> in the config file, and that python-keystoneclient should be able to
> handle both. Since the PKC doesn't tend to talk to multiple Keystones,
> that should probably be sufficient.
> In the future, Keystones need to be advertise, somehow, what Hashing
> algorithm it uses. It probably can/should stick that data in the token.
How about we prefix the hash with the chosen algorithm, like the glibc
crypt method (ie: $id$hash) ? No prefix would mean the former md5.
This would allow a smooth migration as multiple hash algorithm could be
used simultaneously and keystone wouldn't have to announce what
algorithm it uses...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 555 bytes
Desc: OpenPGP digital signature
More information about the OpenStack-dev