Reviewed: https://review.openstack.org/614817 Committed: https://git.openstack.org/cgit/openstack/pycadf/commit/?id=b5dfd8dfde46dfce203d517b7b4c28e9d81823cd Submitter: Zuul Branch: master
commit b5dfd8dfde46dfce203d517b7b4c28e9d81823cd Author: Raildo Mascena <[email protected]> Date: Thu Nov 1 11:03:55 2018 -0300 Enabling FIPS mode by using sha256 instead of md5 FIPS does not allow md5, some systems like RHEL needs to have FIPS compliance, in order to execute some routines like when try to use keystone-manage. As a general rule, we should avoid using md5 if we can and move over to SHA wherever possible. Change-Id: Icaeb3305c788db2913fe99792ea6311d218b3410 Closes-Bug: #1767024 ** Changed in: pycadf Status: Triaged => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1767024 Title: pycadf fails on FIPS compliant system due to using md5 Status in OpenStack Identity (keystone): Invalid Status in pycadf: Fix Released Bug description: I took a RHEL 7 system and enabled FIPS compliance (FIPS does not allow md5) and I see the following when keystone-manage is run. As a general rule, we should avoid using md5 if we can and move over to SHA wherever possible. The below also indicates that probably openstack auditing functional, which is internally dependent on pycadf might also be impacted. File "/usr/bin/keystone-manage", line 6, in <module> from keystone.cmd.manage import main File "/usr/lib/python2.7/site-packages/keystone/cmd/manage.py", line 19, in <module> from keystone.cmd import cli File "/usr/lib/python2.7/site-packages/keystone/cmd/cli.py", line 29, in <module> from keystone.cmd import doctor File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/__init__.py", line 14, in <module> from keystone.cmd.doctor import credential File "/usr/lib/python2.7/site-packages/keystone/cmd/doctor/credential.py", line 16, in <module> from keystone.credential.providers import fernet as credential_fernet File "/usr/lib/python2.7/site-packages/keystone/credential/__init__.py", line 15, in <module> from keystone.credential import controllers # noqa File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 19, in <module> from keystone.common import controller File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 22, in <module> from keystone.common import authorization File "/usr/lib/python2.7/site-packages/keystone/common/authorization.py", line 25, in <module> from keystone.models import token_model File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 20, in <module> from keystone.federation import constants File "/usr/lib/python2.7/site-packages/keystone/federation/__init__.py", line 15, in <module> from keystone.federation.core import * # noqa File "/usr/lib/python2.7/site-packages/keystone/federation/core.py", line 24, in <module> from keystone import notifications File "/usr/lib/python2.7/site-packages/keystone/notifications.py", line 29, in <module> from pycadf import eventfactory File "/usr/lib/python2.7/site-packages/pycadf/eventfactory.py", line 16, in <module> from pycadf import event File "/usr/lib/python2.7/site-packages/pycadf/event.py", line 20, in <module> from pycadf import identifier File "/usr/lib/python2.7/site-packages/pycadf/identifier.py", line 33, in <module> md5_hash = hashlib.md5(CONF.audit.namespace.encode('utf-8')) ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fip To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1767024/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
