diff --git a/doc/source/admin/identity-performance.rst b/doc/source/admin/identity-performance.rst index 9fb0c8c1a3..a9d97ffd02 100644 --- a/doc/source/admin/identity-performance.rst +++ b/doc/source/admin/identity-performance.rst @@ -32,9 +32,6 @@ These are all of the options in ``keystone.conf`` that have a direct impact on performance. See the help descriptions for these options for more specific details on how and why you might want to tune these options for yourself. -* ``[DEFAULT] crypt_strength``: Reduce this number to increase performance, - increase this number to make SQL managed password checking more secure. - * ``[DEFAULT] max_project_tree_depth``: Reduce this number to increase performance, increase this number to cater to more complicated hierarchical multitenancy use cases. diff --git a/keystone/conf/default.py b/keystone/conf/default.py index 3ea85e636e..c22b8fb5a4 100644 --- a/keystone/conf/default.py +++ b/keystone/conf/default.py @@ -91,33 +91,6 @@ values. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32). """)) -# NOTE(lbragstad/morganfainberg): This value of 10k was measured as having an -# approximate 30% clock-time savings over the old default of 40k. The passlib -# default is not static and grows over time to constantly approximate ~300ms of -# CPU time to hash; this was considered too high. This value still exceeds the -# glibc default of 5k. -crypt_strength = cfg.IntOpt( - 'crypt_strength', - default=10000, - min=1000, - max=100000, - deprecated_since=versionutils.deprecated.PIKE, - deprecated_reason=utils.fmt(""" -sha512_crypt is insufficient for password hashes, use of bcrypt, pbkfd2_sha512 -and scrypt are now supported. Options are located in the [identity] config -block. This option is still used for rolling upgrade compatibility password -hashing. -"""), - help=utils.fmt(""" -The value passed as the keyword "rounds" to passlib's encrypt method. This -option represents a trade off between security and performance. Higher values -lead to slower performance, but higher security. Changing this option will only -affect newly created passwords as existing password hashes already have a fixed -number of rounds applied, so it is safe to tune this option in a running -cluster. For more information, see -https://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-rounds-value -""")) - list_limit = cfg.IntOpt( 'list_limit', help=utils.fmt(""" @@ -207,7 +180,6 @@ ALL_OPTS = [ max_project_tree_depth, max_param_size, max_token_size, - crypt_strength, list_limit, strict_password_check, secure_proxy_ssl_header, diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index 8b1420625e..ade24ca4ea 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -779,7 +779,6 @@ class TestCase(BaseTestCase): # of hashing has been used. Note that 4 is the lowest for bcrypt # allowed in the `[identity] password_hash_rounds` setting self.config_fixture.config(group='identity', password_hash_rounds=4) - self.config_fixture.config(crypt_strength=1000) self.useFixture( ksfixtures.KeyRepository( diff --git a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml index 5171789ec5..89564a29ed 100644 --- a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml +++ b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml @@ -9,4 +9,8 @@ other: The deprecated token_flush is removed now. - > [`blueprint removed-as-of-stein `_] - The deprecated config option `bind` is removed now. \ No newline at end of file + The deprecated config option `bind` is removed now. + - > + The deprecated option `crypt_strength` is removed now. It was only useful + for `sha512_crypt` password hashes which has been superseded by more secure + hashing implementations.