← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #72612

[Bug 1767024] [NEW] keystone-manage fails on FIPS compliant system

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I took a RHEL 7 system and enabled FIPS compliance (FIPS does not allow
md5) and I see the following when keystone-manage is run. As a general
rule, we should avoid using md5 if we can and move over to SHA wherever
possible. The below also indicates that probably openstack auditing
functional, which is internally dependent on pycadf might also be
impacted.

  File "/usr/bin/keystone-manage", line 6, in <module>
    from keystone.cmd.manage import main
  File "/usr/lib/python2.7/site-packages/keystone/cmd/manage.py", line 19, in <module>
    from keystone.cmd import cli
  File "/usr/lib/python2.7/site-packages/keystone/cmd/cli.py", line 29, in <module>
    from keystone.cmd import doctor
  File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/__init__.py", line 14, in <module>
    from keystone.cmd.doctor import credential
  File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/credential.py", line 16, in <module>
    from keystone.credential.providers import fernet as credential_fernet
  File "/usr/lib/python2.7/site-packages/keystone/credential/__init__.py", line 15, in <module>
    from keystone.credential import controllers  # noqa
  File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 19, in <module>
    from keystone.common import controller
  File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 22, in <module>
    from keystone.common import authorization
  File "/usr/lib/python2.7/site-packages/keystone/common/authorization.py", line 25, in <module>
    from keystone.models import token_model
  File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 20, in <module>
    from keystone.federation import constants
  File "/usr/lib/python2.7/site-packages/keystone/federation/__init__.py", line 15, in <module>
    from keystone.federation.core import *  # noqa
  File "/usr/lib/python2.7/site-packages/keystone/federation/core.py", line 24, in <module>
    from keystone import notifications
  File "/usr/lib/python2.7/site-packages/keystone/notifications.py", line 29, in <module>
    from pycadf import eventfactory
  File "/usr/lib/python2.7/site-packages/pycadf/eventfactory.py", line 16, in <module>
    from pycadf import event
  File "/usr/lib/python2.7/site-packages/pycadf/event.py", line 20, in <module>
    from pycadf import identifier
  File "/usr/lib/python2.7/site-packages/pycadf/identifier.py", line 33, in <module>
    md5_hash = hashlib.md5(CONF.audit.namespace.encode('utf-8'))
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fip

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1767024

Title:
  keystone-manage fails on FIPS compliant system

Status in OpenStack Identity (keystone):
  New

Bug description:
  I took a RHEL 7 system and enabled FIPS compliance (FIPS does not
  allow md5) and I see the following when keystone-manage is run. As a
  general rule, we should avoid using md5 if we can and move over to SHA
  wherever possible. The below also indicates that probably openstack
  auditing functional, which is internally dependent on pycadf might
  also be impacted.

    File "/usr/bin/keystone-manage", line 6, in <module>
      from keystone.cmd.manage import main
    File "/usr/lib/python2.7/site-packages/keystone/cmd/manage.py", line 19, in <module>
      from keystone.cmd import cli
    File "/usr/lib/python2.7/site-packages/keystone/cmd/cli.py", line 29, in <module>
      from keystone.cmd import doctor
    File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/__init__.py", line 14, in <module>
      from keystone.cmd.doctor import credential
    File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/credential.py", line 16, in <module>
      from keystone.credential.providers import fernet as credential_fernet
    File "/usr/lib/python2.7/site-packages/keystone/credential/__init__.py", line 15, in <module>
      from keystone.credential import controllers  # noqa
    File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 19, in <module>
      from keystone.common import controller
    File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 22, in <module>
      from keystone.common import authorization
    File "/usr/lib/python2.7/site-packages/keystone/common/authorization.py", line 25, in <module>
      from keystone.models import token_model
    File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 20, in <module>
      from keystone.federation import constants
    File "/usr/lib/python2.7/site-packages/keystone/federation/__init__.py", line 15, in <module>
      from keystone.federation.core import *  # noqa
    File "/usr/lib/python2.7/site-packages/keystone/federation/core.py", line 24, in <module>
      from keystone import notifications
    File "/usr/lib/python2.7/site-packages/keystone/notifications.py", line 29, in <module>
      from pycadf import eventfactory
    File "/usr/lib/python2.7/site-packages/pycadf/eventfactory.py", line 16, in <module>
      from pycadf import event
    File "/usr/lib/python2.7/site-packages/pycadf/event.py", line 20, in <module>
      from pycadf import identifier
    File "/usr/lib/python2.7/site-packages/pycadf/identifier.py", line 33, in <module>
      md5_hash = hashlib.md5(CONF.audit.namespace.encode('utf-8'))
  ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fip

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1767024/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next