yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75581
[Bug 1767024] Re: pycadf fails on FIPS compliant system due to using md5
Reviewed: https://review.openstack.org/614817
Committed: https://git.openstack.org/cgit/openstack/pycadf/commit/?id=b5dfd8dfde46dfce203d517b7b4c28e9d81823cd
Submitter: Zuul
Branch: master
commit b5dfd8dfde46dfce203d517b7b4c28e9d81823cd
Author: Raildo Mascena <rmascena@xxxxxxxxxx>
Date: Thu Nov 1 11:03:55 2018 -0300
Enabling FIPS mode by using sha256 instead of md5
FIPS does not allow md5, some systems like RHEL needs to have FIPS
compliance, in order to execute some routines like when try to
use keystone-manage. As a general rule, we should avoid using md5
if we can and move over to SHA wherever possible.
Change-Id: Icaeb3305c788db2913fe99792ea6311d218b3410
Closes-Bug: #1767024
** Changed in: pycadf
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1767024
Title:
pycadf fails on FIPS compliant system due to using md5
Status in OpenStack Identity (keystone):
Invalid
Status in pycadf:
Fix Released
Bug description:
I took a RHEL 7 system and enabled FIPS compliance (FIPS does not
allow md5) and I see the following when keystone-manage is run. As a
general rule, we should avoid using md5 if we can and move over to SHA
wherever possible. The below also indicates that probably openstack
auditing functional, which is internally dependent on pycadf might
also be impacted.
File "/usr/bin/keystone-manage", line 6, in <module>
from keystone.cmd.manage import main
File "/usr/lib/python2.7/site-packages/keystone/cmd/manage.py", line 19, in <module>
from keystone.cmd import cli
File "/usr/lib/python2.7/site-packages/keystone/cmd/cli.py", line 29, in <module>
from keystone.cmd import doctor
File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/__init__.py", line 14, in <module>
from keystone.cmd.doctor import credential
File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/credential.py", line 16, in <module>
from keystone.credential.providers import fernet as credential_fernet
File "/usr/lib/python2.7/site-packages/keystone/credential/__init__.py", line 15, in <module>
from keystone.credential import controllers # noqa
File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 19, in <module>
from keystone.common import controller
File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 22, in <module>
from keystone.common import authorization
File "/usr/lib/python2.7/site-packages/keystone/common/authorization.py", line 25, in <module>
from keystone.models import token_model
File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 20, in <module>
from keystone.federation import constants
File "/usr/lib/python2.7/site-packages/keystone/federation/__init__.py", line 15, in <module>
from keystone.federation.core import * # noqa
File "/usr/lib/python2.7/site-packages/keystone/federation/core.py", line 24, in <module>
from keystone import notifications
File "/usr/lib/python2.7/site-packages/keystone/notifications.py", line 29, in <module>
from pycadf import eventfactory
File "/usr/lib/python2.7/site-packages/pycadf/eventfactory.py", line 16, in <module>
from pycadf import event
File "/usr/lib/python2.7/site-packages/pycadf/event.py", line 20, in <module>
from pycadf import identifier
File "/usr/lib/python2.7/site-packages/pycadf/identifier.py", line 33, in <module>
md5_hash = hashlib.md5(CONF.audit.namespace.encode('utf-8'))
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fip
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1767024/+subscriptions
References
