On 06/08/18 00:46, Rico Lin wrote:
Hi all
I would like to trigger a discussion on providing directly SSL content
for KeyStone session. Since all team using SSL, I believe this maybe
concerns to other projects as well.
As we consider to implement customize SSL option for Heat remote stack
[3] (and multicloud support [1]), I'm trying to figure out what is the
best solution for this. Current SSL option in KeyStone session didn't
allow us to provide directly CERT/Key string, instead only allow us to
provide CERT/Key file path. Which is actually a limitation of
python with the version less than 3.7 ([2]). As we not gonna easily get
ride of previous python versions, we try to figure out what is the best
solution we can approach here.
Some way, we can think about, like using pipeline, or create a file,
encrypted it and send the file path out to KeyStone session.
Would like to hear more from all for any advice or suggestion on how can
we approach this.
Create a temporary directory using tempfile.mkdtemp() as shown here:
https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html#correct
This probably only needs to happen once per process. (Also I would pass
mode=0o600 when creating the file instead of using umask().)
Assuming the data gets read only once, then I'd suggest rather than
using a tempfile, create a named pipe using os.mkfifo(), open it, and
write the data. Then pass the filename of the FIFO to the SSL lib. Close
it again after and remove the pipe.
[1] https://etherpad.openstack.org/p/ptg-rocky-multi-cloud
[2] https://www.python.org/dev/peps/pep-0543/
[3] https://review.openstack.org/#/c/480923/
--
May The Force of OpenStack Be With You,
*/Rico Lin
/*irc: ricolin
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
