[openstack-dev] [OpenStack-dev][heat][keystone][security sig][all] SSL option for keystone session
Zane Bitter
zbitter at redhat.com
Mon Aug 6 18:58:37 UTC 2018
On 06/08/18 00:46, Rico Lin wrote:
> Hi all
> I would like to trigger a discussion on providing directly SSL content
> for KeyStone session. Since all team using SSL, I believe this maybe
> concerns to other projects as well.
>
> As we consider to implement customize SSL option for Heat remote stack
> [3] (and multicloud support [1]), I'm trying to figure out what is the
> best solution for this. Current SSL option in KeyStone session didn't
> allow us to provide directly CERT/Key string, instead only allow us to
> provide CERT/Key file path. Which is actually a limitation of
> python with the version less than 3.7 ([2]). As we not gonna easily get
> ride of previous python versions, we try to figure out what is the best
> solution we can approach here.
>
> Some way, we can think about, like using pipeline, or create a file,
> encrypted it and send the file path out to KeyStone session.
>
> Would like to hear more from all for any advice or suggestion on how can
> we approach this.
Create a temporary directory using tempfile.mkdtemp() as shown here:
https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html#correct
This probably only needs to happen once per process. (Also I would pass
mode=0o600 when creating the file instead of using umask().)
Assuming the data gets read only once, then I'd suggest rather than
using a tempfile, create a named pipe using os.mkfifo(), open it, and
write the data. Then pass the filename of the FIFO to the SSL lib. Close
it again after and remove the pipe.
> [1] https://etherpad.openstack.org/p/ptg-rocky-multi-cloud
> [2] https://www.python.org/dev/peps/pep-0543/
> [3] https://review.openstack.org/#/c/480923/
> --
> May The Force of OpenStack Be With You,
> */Rico Lin
> /*irc: ricolin
>
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list