[openstack-dev] [Keystone] Enforcing cert validation in auth_token middleware

Jamie Lennox jlennox at redhat.com
Thu Sep 12 03:25:26 UTC 2013


With the aim of replacing httplib and cert validation with requests[1]
I've put forward the following review to use the requests library for
auth_token middleware. 

https://review.openstack.org/#/c/34161/

This adds 2 new config options.
- The ability to provide CAs to validate https connections against.
- The ability to set insecure to ignore https validation. 

By default request will validate connections against the system CAs by
default. So given that we currently don't verify SSL connections, do we
need to default insecure to true?

Maintaining compatibility should win here as i imagine there are a great
number of auth_token deployments using SSL with invalid/self-signed
certificates that would be broken, but defaulting to insecure just seems
wrong. 

Given that keystone isn't the only project moving away from httplib, how
are other projects handling this? How do we end up with reasonable
defaults? Is there any amount of warning that we could give to change a
default like this - or is this another one of those version 1.0 issues?


Jamie



[1] https://bugs.launchpad.net/keystone/+bug/1188189 




More information about the OpenStack-dev mailing list