Actually - in lieu of writing specs for this work, we already have a keystonemiddleware bug open for moving to oslo.cache [0].
I've opened another bug for moving to supported crypto library [1]. [0] https://bugs.launchpad.net/keystonemiddleware/+bug/1523375 [1] https://bugs.launchpad.net/keystonemiddleware/+bug/1677308 On Wed, Mar 29, 2017 at 10:41 AM, Lance Bragstad <lbrags...@gmail.com> wrote: > With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and > Morgan!), I did some poking at the usage in keystonemiddleware [1]. > > The usage is built into auth_token middleware for encrypting and > decrypting things stored in cache [2], but it is conditional based on > configuration [3] and whether or not pycrypto is installed [4]. The > encryption of things before caching them is disabled by default. > > We've also had several discussions about moving keystonemiddleware to > using oslo.cache instead of it's own caching implementation [5] for py3 > reasons. If we're going to invest time into making that switch, grouping > the switch from pycrypto to pyca/cryptography doesn't sound unreasonable. > > Any thoughts on this from a keystone perspective? I can try and work them > into a spec proposal for keystonemiddleware since I'll be proposing one for > the oslo.cache switch [6]. > > [0] https://review.openstack.org/#/c/443318/ > [1] https://github.com/openstack/keystonemiddleware/blob/ > a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/test-requirements.txt#L12 > [2] https://github.com/openstack/keystonemiddleware/blob/ > a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/ > auth_token/_memcache_crypt.py#L19-L21 > [3] https://github.com/openstack/keystonemiddleware/blob/ > a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/ > auth_token/_opts.py#L109-L122 > [4] https://github.com/openstack/keystonemiddleware/blob/ > a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/ > auth_token/_memcache_crypt.py#L42-L46 > [5] http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017- > 03-21-18.00.log.html#l-136 > [6] http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017- > 03-21-18.00.log.html#l-149 > > On Wed, Mar 29, 2017 at 9:56 AM, Brian Rosmaita < > rosmaita.foss...@gmail.com> wrote: > >> On 3/8/17 2:03 PM, Matthew Thode wrote: >> > So, pycrypto upstream is dead and has been for a while, we should look >> > at moving off of it for both bugfix and security reasons. >> > >> > Currently it's used by the following. >> > >> > barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware, >> > kolla, openstack-ansible, and a couple of other smaller places. >> >> [snip] >> >> > I'd be interested in hearing about migration plans, especially from the >> > affected projects. >> >> Glance report: >> - pycrypto isn't used in glance_store or python-glanceclient >> - Glance already uses cryptography for image-signature verification, so >> our path will be to migrate from pycrypto -> cryptography >> - I've got a patch up for this: https://review.openstack.org/#/c/449401/ >> >> cheers, >> brian >> >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
