Is there a way we can invoke using SHAs in pycadf from keystone directly? It looks like a configuration option was introduced to make using md5 conditional, but I can't seem to invoke it from config.
We might have to fix this in pycadf directly. I don't think we have any options for working around this with keystone. ** Also affects: pycadf Importance: Undecided Status: New ** Summary changed: - keystone-manage fails on FIPS compliant system + pycadf fails on FIPS compliant system due to using md5 ** Changed in: keystone Status: New => Incomplete -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1767024 Title: pycadf fails on FIPS compliant system due to using md5 Status in OpenStack Identity (keystone): Incomplete Status in pycadf: New Bug description: I took a RHEL 7 system and enabled FIPS compliance (FIPS does not allow md5) and I see the following when keystone-manage is run. As a general rule, we should avoid using md5 if we can and move over to SHA wherever possible. The below also indicates that probably openstack auditing functional, which is internally dependent on pycadf might also be impacted. File "/usr/bin/keystone-manage", line 6, in <module> from keystone.cmd.manage import main File "/usr/lib/python2.7/site-packages/keystone/cmd/manage.py", line 19, in <module> from keystone.cmd import cli File "/usr/lib/python2.7/site-packages/keystone/cmd/cli.py", line 29, in <module> from keystone.cmd import doctor File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/__init__.py", line 14, in <module> from keystone.cmd.doctor import credential File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/credential.py", line 16, in <module> from keystone.credential.providers import fernet as credential_fernet File "/usr/lib/python2.7/site-packages/keystone/credential/__init__.py", line 15, in <module> from keystone.credential import controllers # noqa File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 19, in <module> from keystone.common import controller File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 22, in <module> from keystone.common import authorization File "/usr/lib/python2.7/site-packages/keystone/common/authorization.py", line 25, in <module> from keystone.models import token_model File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 20, in <module> from keystone.federation import constants File "/usr/lib/python2.7/site-packages/keystone/federation/__init__.py", line 15, in <module> from keystone.federation.core import * # noqa File "/usr/lib/python2.7/site-packages/keystone/federation/core.py", line 24, in <module> from keystone import notifications File "/usr/lib/python2.7/site-packages/keystone/notifications.py", line 29, in <module> from pycadf import eventfactory File "/usr/lib/python2.7/site-packages/pycadf/eventfactory.py", line 16, in <module> from pycadf import event File "/usr/lib/python2.7/site-packages/pycadf/event.py", line 20, in <module> from pycadf import identifier File "/usr/lib/python2.7/site-packages/pycadf/identifier.py", line 33, in <module> md5_hash = hashlib.md5(CONF.audit.namespace.encode('utf-8')) ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fip To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1767024/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp