With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and Morgan!), I did some poking at the usage in keystonemiddleware [1].
The usage is built into auth_token middleware for encrypting and decrypting things stored in cache [2], but it is conditional based on configuration [3] and whether or not pycrypto is installed [4]. The encryption of things before caching them is disabled by default. We've also had several discussions about moving keystonemiddleware to using oslo.cache instead of it's own caching implementation [5] for py3 reasons. If we're going to invest time into making that switch, grouping the switch from pycrypto to pyca/cryptography doesn't sound unreasonable. Any thoughts on this from a keystone perspective? I can try and work them into a spec proposal for keystonemiddleware since I'll be proposing one for the oslo.cache switch [6]. [0] https://review.openstack.org/#/c/443318/ [1] https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/test-requirements.txt#L12 [2] https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_memcache_crypt.py#L19-L21 [3] https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_opts.py#L109-L122 [4] https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_memcache_crypt.py#L42-L46 [5] http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-03-21-18.00.log.html#l-136 [6] http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-03-21-18.00.log.html#l-149 On Wed, Mar 29, 2017 at 9:56 AM, Brian Rosmaita <[email protected]> wrote: > On 3/8/17 2:03 PM, Matthew Thode wrote: > > So, pycrypto upstream is dead and has been for a while, we should look > > at moving off of it for both bugfix and security reasons. > > > > Currently it's used by the following. > > > > barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware, > > kolla, openstack-ansible, and a couple of other smaller places. > > [snip] > > > I'd be interested in hearing about migration plans, especially from the > > affected projects. > > Glance report: > - pycrypto isn't used in glance_store or python-glanceclient > - Glance already uses cryptography for image-signature verification, so > our path will be to migrate from pycrypto -> cryptography > - I've got a patch up for this: https://review.openstack.org/#/c/449401/ > > cheers, > brian > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
