Merge "Remove "crypt_strength" option"

This commit is contained in:
Zuul 2018-11-16 21:00:26 +00:00 committed by Gerrit Code Review
commit a3b4c6157a
4 changed files with 5 additions and 33 deletions

View File

@ -32,9 +32,6 @@ These are all of the options in ``keystone.conf`` that have a direct impact on
performance. See the help descriptions for these options for more specific
details on how and why you might want to tune these options for yourself.
* ``[DEFAULT] crypt_strength``: Reduce this number to increase performance,
increase this number to make SQL managed password checking more secure.
* ``[DEFAULT] max_project_tree_depth``: Reduce this number to increase
performance, increase this number to cater to more complicated hierarchical
multitenancy use cases.

View File

@ -91,33 +91,6 @@ values. With Fernet tokens, this can be set as low as 255. With UUID tokens,
this should be set to 32).
"""))
# NOTE(lbragstad/morganfainberg): This value of 10k was measured as having an
# approximate 30% clock-time savings over the old default of 40k. The passlib
# default is not static and grows over time to constantly approximate ~300ms of
# CPU time to hash; this was considered too high. This value still exceeds the
# glibc default of 5k.
crypt_strength = cfg.IntOpt(
'crypt_strength',
default=10000,
min=1000,
max=100000,
deprecated_since=versionutils.deprecated.PIKE,
deprecated_reason=utils.fmt("""
sha512_crypt is insufficient for password hashes, use of bcrypt, pbkfd2_sha512
and scrypt are now supported. Options are located in the [identity] config
block. This option is still used for rolling upgrade compatibility password
hashing.
"""),
help=utils.fmt("""
The value passed as the keyword "rounds" to passlib's encrypt method. This
option represents a trade off between security and performance. Higher values
lead to slower performance, but higher security. Changing this option will only
affect newly created passwords as existing password hashes already have a fixed
number of rounds applied, so it is safe to tune this option in a running
cluster. For more information, see
https://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-rounds-value
"""))
list_limit = cfg.IntOpt(
'list_limit',
help=utils.fmt("""
@ -207,7 +180,6 @@ ALL_OPTS = [
max_project_tree_depth,
max_param_size,
max_token_size,
crypt_strength,
list_limit,
strict_password_check,
secure_proxy_ssl_header,

View File

@ -779,7 +779,6 @@ class TestCase(BaseTestCase):
# of hashing has been used. Note that 4 is the lowest for bcrypt
# allowed in the `[identity] password_hash_rounds` setting
self.config_fixture.config(group='identity', password_hash_rounds=4)
self.config_fixture.config(crypt_strength=1000)
self.useFixture(
ksfixtures.KeyRepository(

View File

@ -9,4 +9,8 @@ other:
The deprecated token_flush is removed now.
- >
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
The deprecated config option `bind` is removed now.
The deprecated config option `bind` is removed now.
- >
The deprecated option `crypt_strength` is removed now. It was only useful
for `sha512_crypt` password hashes which has been superseded by more secure
hashing implementations.