<div dir="ltr">Actually - in lieu of writing specs for this work, we already have a keystonemiddleware bug open for moving to oslo.cache [0].<div><br></div><div>I've opened another bug for moving to supported crypto library [1].<br><div><br></div><div>[0] <a href="https://bugs.launchpad.net/keystonemiddleware/+bug/1523375">https://bugs.launchpad.net/keystonemiddleware/+bug/1523375</a></div></div><div>[1] <a href="https://bugs.launchpad.net/keystonemiddleware/+bug/1677308">https://bugs.launchpad.net/keystonemiddleware/+bug/1677308</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 29, 2017 at 10:41 AM, Lance Bragstad <span dir="ltr"><<a href="mailto:lbragstad@gmail.com" target="_blank">lbragstad@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and Morgan!), I did some poking at the usage in keystonemiddleware [1].<div><br></div><div>The usage is built into auth_token middleware for encrypting and decrypting things stored in cache [2], but it is conditional based on configuration [3] and whether or not pycrypto is installed [4]. The encryption of things before caching them is disabled by default.</div><div><br></div><div>We've also had several discussions about moving keystonemiddleware to using oslo.cache instead of it's own caching implementation [5] for py3 reasons. If we're going to invest time into making that switch, grouping the switch from pycrypto to pyca/cryptography doesn't sound unreasonable.</div><div><br></div><div>Any thoughts on this from a keystone perspective? I can try and work them into a spec proposal for keystonemiddleware since I'll be proposing one for the oslo.cache switch [6]. <br><div><br></div><div>[0] <a href="https://review.openstack.org/#/c/443318/" target="_blank">https://review.openstack.<wbr>org/#/c/443318/</a></div><div>[1] <a href="https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/test-requirements.txt#L12" target="_blank">https://github.com/<wbr>openstack/keystonemiddleware/<wbr>blob/<wbr>a2e3d60644aadb4ecb3d49dadbcd5d<wbr>4c1dec2176/test-requirements.<wbr>txt#L12</a></div></div><div>[2] <a href="https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_memcache_crypt.py#L19-L21" target="_blank">https://github.com/<wbr>openstack/keystonemiddleware/<wbr>blob/<wbr>a2e3d60644aadb4ecb3d49dadbcd5d<wbr>4c1dec2176/keystonemiddleware/<wbr>auth_token/_memcache_crypt.py#<wbr>L19-L21</a></div><div>[3] <a href="https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_opts.py#L109-L122" target="_blank">https://github.com/<wbr>openstack/keystonemiddleware/<wbr>blob/<wbr>a2e3d60644aadb4ecb3d49dadbcd5d<wbr>4c1dec2176/keystonemiddleware/<wbr>auth_token/_opts.py#L109-L122</a></div><div>[4] <a href="https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_memcache_crypt.py#L42-L46" target="_blank">https://github.com/<wbr>openstack/keystonemiddleware/<wbr>blob/<wbr>a2e3d60644aadb4ecb3d49dadbcd5d<wbr>4c1dec2176/keystonemiddleware/<wbr>auth_token/_memcache_crypt.py#<wbr>L42-L46</a></div><div>[5] <a href="http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-03-21-18.00.log.html#l-136" target="_blank">http://eavesdrop.<wbr>openstack.org/meetings/<wbr>keystone/2017/keystone.2017-<wbr>03-21-18.00.log.html#l-136</a></div><div>[6] <a href="http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-03-21-18.00.log.html#l-149" target="_blank">http://eavesdrop.<wbr>openstack.org/meetings/<wbr>keystone/2017/keystone.2017-<wbr>03-21-18.00.log.html#l-149</a></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 29, 2017 at 9:56 AM, Brian Rosmaita <span dir="ltr"><<a href="mailto:rosmaita.fossdev@gmail.com" target="_blank">rosmaita.fossdev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 3/8/17 2:03 PM, Matthew Thode wrote:<br>
> So, pycrypto upstream is dead and has been for a while, we should look<br>
> at moving off of it for both bugfix and security reasons.<br>
><br>
> Currently it's used by the following.<br>
><br>
> barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware,<br>
> kolla, openstack-ansible, and a couple of other smaller places.<br>
<br>
</span>[snip]<br>
<span><br>
> I'd be interested in hearing about migration plans, especially from the<br>
> affected projects.<br>
<br>
</span>Glance report:<br>
- pycrypto isn't used in glance_store or python-glanceclient<br>
- Glance already uses cryptography for image-signature verification, so<br>
our path will be to migrate from pycrypto -> cryptography<br>
- I've got a patch up for this: <a href="https://review.openstack.org/#/c/449401/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/449401/</a><br>
<br>
cheers,<br>
brian<br>
<div class="m_6190275861706862617HOEnZb"><div class="m_6190275861706862617h5"><br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>