[openstack-dev] [OpenStack-dev][heat][keystone][security sig][all] SSL option for keystone session

Zane Bitter zbitter at redhat.com
Mon Aug 6 18:58:37 UTC 2018


On 06/08/18 00:46, Rico Lin wrote:
> Hi all
> I would like to trigger a discussion on providing directly SSL content 
> for KeyStone session. Since all team using SSL, I believe this maybe 
> concerns to other projects as well.
> 
> As we consider to implement customize SSL option for Heat remote stack 
> [3] (and multicloud support [1]), I'm trying to figure out what is the 
> best solution for this. Current SSL option in KeyStone session didn't 
> allow us to provide directly CERT/Key string, instead only allow us to 
> provide CERT/Key file path. Which is actually a limitation of 
> python with the version less than 3.7 ([2]). As we not gonna easily get 
> ride of previous python versions, we try to figure out what is the best 
> solution we can approach here.
> 
> Some way, we can think about, like using pipeline, or create a file, 
> encrypted it and send the file path out to KeyStone session.
> 
> Would like to hear more from all for any advice or suggestion on how can 
> we approach this.

Create a temporary directory using tempfile.mkdtemp() as shown here:

https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html#correct

This probably only needs to happen once per process. (Also I would pass 
mode=0o600 when creating the file instead of using umask().)

Assuming the data gets read only once, then I'd suggest rather than 
using a tempfile, create a named pipe using os.mkfifo(), open it, and 
write the data. Then pass the filename of the FIFO to the SSL lib. Close 
it again after and remove the pipe.

> [1] https://etherpad.openstack.org/p/ptg-rocky-multi-cloud
> [2] https://www.python.org/dev/peps/pep-0543/
> [3] https://review.openstack.org/#/c/480923/
>   --
> May The Force of OpenStack Be With You,
> */Rico Lin
> /*irc: ricolin
> 
> 
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 




More information about the OpenStack-dev mailing list