[openstack-dev] Keystone Hashing MD5 to SHA256

Florent Flament florent.flament-ext at cloudwatt.com
Mon Jan 6 17:56:59 UTC 2014


+1, looks like a good idea

----- Original Message -----
From: "Jay Pipes" <jaypipes at gmail.com>
To: openstack-dev at lists.openstack.org
Sent: Monday, January 6, 2014 5:29:49 PM
Subject: Re: [openstack-dev] Keystone Hashing MD5 to SHA256

On Mon, 2014-01-06 at 17:00 +0100, Tristan Cacqueray wrote:
> On 01/06/2014 04:19 PM, Adam Young wrote:
> > Dirk,
> > 
> > If it were as  easy as just replaceing hteh hash algorithm, we would
> > have done it a year + ago.  I'm guessing you figured that by now.
> > 
> > Here is the deal:  We need to be able to make things work side by side. 
> > Not sure how to do that, but I think the right solution is to make
> > keystone configurable first, so that you can set the hashing algorithm
> > in the config file, and that python-keystoneclient should be able to
> > handle both.  Since the PKC  doesn't tend to talk to multiple Keystones,
> > that should probably be sufficient.
> > 
> > In the future, Keystones  need to be advertise, somehow, what Hashing
> > algorithm it uses.  It probably can/should stick that data in the token.
> > 
> > Thoughts?
> > 
> 
> Hello list!
> 
> How about we prefix the hash with the chosen algorithm, like the glibc
> crypt method (ie: $id$hash) ? No prefix would mean the former md5.
> 
> This would allow a smooth migration as multiple hash algorithm could be
> used simultaneously and keystone wouldn't have to announce what
> algorithm it uses...

+1. Simple and effective.

-jay


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list