0edf1fe46c
This commit implements credential encryption through the following changes: - additive schema change to store key hashes for credentials - database migration to encrypt all pre-existing credentials - contractive schema change to remove unencrypted credential column - added code to the credential Manager to handle credential encryption All credentials will be encrypted by default. There will not be a way to store unencrypted credentials in keystone from this point forward. Note that this implementation uses database triggers in the migration process. If operators use the traditional offline migration method, it would be more reliable if we didn't try to setup and tear down triggers, as they'll never be used anyway. This makes it so that expand and contract migrations can skip anything related to triggers. Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com> bp credential-encryption Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04 |
||
|---|---|---|
| .. | ||
| doctor | ||
| __init__.py | ||
| cli.py | ||
| manage.py | ||