openstack
/
keystone
Code Issues Proposed changes
keystone/keystone/common
History
Lance Bragstad 0edf1fe46c Implement encryption of credentials at rest 
This commit implements credential encryption through the following changes:

 - additive schema change to store key hashes for credentials
 - database migration to encrypt all pre-existing credentials
 - contractive schema change to remove unencrypted credential column
 - added code to the credential Manager to handle credential encryption

All credentials will be encrypted by default. There will not be a way to store
unencrypted credentials in keystone from this point forward.

Note that this implementation uses database triggers in the migration process.
If operators use the traditional offline migration method, it would be more
reliable if we didn't try to setup and tear down triggers, as they'll never be
used anyway. This makes it so that expand and contract migrations can skip
anything related to triggers.

Co-Authored-By: Werner Mendizabal <nonameentername@gmail.com>

bp credential-encryption

Depends-On: I433da9a257daa21ec3b5996b2bca571211f1fbba
Depends-On: Id3e8922adc154cfec5f7a36613e22eb0b49eeffe
Change-Id: I31b7539db436ad270462cfaa3b14213e0ed1fc04
 		2016-09-02 04:25:49 +00:00
..
cache Distributed cache namespace to invalidate regions 2016-08-29 16:38:55 +00:00
kvs Cleaning imports in code 2016-08-27 09:02:41 +07:00
ldap Isolate common ldap code to the identity backend 2016-05-21 20:57:09 -07:00
sql Implement encryption of credentials at rest 2016-09-02 04:25:49 +00:00
validation PCI-DSS Password strength requirements 2016-07-14 15:10:33 +00:00
__init__.py establish basic structure 2012-01-18 20:06:27 -08:00
authorization.py Add is_domain in token response 2016-05-11 21:32:39 +00:00
clean.py move clean.py into keystone/common 2015-07-18 23:32:08 -07:00
context.py Handle more auth information via context 2016-07-13 17:14:46 +10:00
controller.py PCI-DSS Password expires validation 2016-08-05 13:21:42 +00:00
dependency.py Fix D401 PEP8 violation. 2016-04-14 20:08:52 +00:00
driver_hints.py /services?name=<name> API fails when using list_limit 2016-06-21 14:22:19 -07:00
extension.py Fix D202: No blank lines after function docstring (PEP257) 2015-10-28 07:25:04 +00:00
fernet_utils.py Reduce log level of Fernet key count message 2016-08-25 20:57:04 +00:00
json_home.py Fix D202: No blank lines after function docstring (PEP257) 2015-10-28 07:25:04 +00:00
manager.py Add in TRACE logging for the manager 2016-02-02 08:46:57 -08:00
openssl.py Fix formatting strings when using multiple variables 2016-08-30 12:20:23 +07:00
profiler.py Support new osprofiler API 2016-08-15 13:55:34 +00:00
request.py Require auth_context middleware in the pipeline 2016-07-13 17:14:46 +10:00
router.py Implement HEAD method for all v3 GET actions 2016-03-22 10:27:53 -07:00
tokenless_auth.py Relax the requirement for mappings to result in group memberships 2016-09-01 03:24:27 +00:00
utils.py Fix formatting strings when using multiple variables 2016-08-30 12:20:23 +07:00
wsgi.py Cleaning imports in code 2016-08-27 09:02:41 +07:00