Is there a way we can invoke using SHAs in pycadf from keystone
directly? It looks like a configuration option was introduced to make
using md5 conditional, but I can't seem to invoke it from config.
We might have to fix this in pycadf directly. I don't think we have any
options for working around this with keystone.
** Also affects: pycadf
Importance: Undecided
Status: New
** Summary changed:
- keystone-manage fails on FIPS compliant system
+ pycadf fails on FIPS compliant system due to using md5
** Changed in: keystone
Status: New => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1767024
Title:
pycadf fails on FIPS compliant system due to using md5
Status in OpenStack Identity (keystone):
Incomplete
Status in pycadf:
New
Bug description:
I took a RHEL 7 system and enabled FIPS compliance (FIPS does not
allow md5) and I see the following when keystone-manage is run. As a
general rule, we should avoid using md5 if we can and move over to SHA
wherever possible. The below also indicates that probably openstack
auditing functional, which is internally dependent on pycadf might
also be impacted.
File "/usr/bin/keystone-manage", line 6, in <module>
from keystone.cmd.manage import main
File "/usr/lib/python2.7/site-packages/keystone/cmd/manage.py", line 19, in
<module>
from keystone.cmd import cli
File "/usr/lib/python2.7/site-packages/keystone/cmd/cli.py", line 29, in
<module>
from keystone.cmd import doctor
File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/__init__.py",
line 14, in <module>
from keystone.cmd.doctor import credential
File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/credential.py",
line 16, in <module>
from keystone.credential.providers import fernet as credential_fernet
File "/usr/lib/python2.7/site-packages/keystone/credential/__init__.py",
line 15, in <module>
from keystone.credential import controllers # noqa
File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py",
line 19, in <module>
from keystone.common import controller
File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line
22, in <module>
from keystone.common import authorization
File "/usr/lib/python2.7/site-packages/keystone/common/authorization.py",
line 25, in <module>
from keystone.models import token_model
File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py",
line 20, in <module>
from keystone.federation import constants
File "/usr/lib/python2.7/site-packages/keystone/federation/__init__.py",
line 15, in <module>
from keystone.federation.core import * # noqa
File "/usr/lib/python2.7/site-packages/keystone/federation/core.py", line
24, in <module>
from keystone import notifications
File "/usr/lib/python2.7/site-packages/keystone/notifications.py", line 29,
in <module>
from pycadf import eventfactory
File "/usr/lib/python2.7/site-packages/pycadf/eventfactory.py", line 16, in
<module>
from pycadf import event
File "/usr/lib/python2.7/site-packages/pycadf/event.py", line 20, in
<module>
from pycadf import identifier
File "/usr/lib/python2.7/site-packages/pycadf/identifier.py", line 33, in
<module>
md5_hash = hashlib.md5(CONF.audit.namespace.encode('utf-8'))
ValueError: error:060800A3:digital envelope
routines:EVP_DigestInit_ex:disabled for fip
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1767024/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
