OpenStack Identity (keystone)

Provide option for auth_token middleware to do memcache encryption & integrity check

Registered by Guang Yee on 2012-12-17

As we know, memcache servers are not very well protected, which
means anyone have access to them can replace information stored there. Therefore, it would be beneficial for Keystone auth_token middleware to provide an option to either encrypt or hmac the values stored in the memcache.

This feature shall accept two configurable options:

1) memcache_value_treatment - ENCRYPT, MAC, or default to unprotect.
2) encryption_key_derivation_secret - key derivation secret for generating
the encryption or hmac key

Granted, PKI tokens makes memcache less relevant. But not everyone is ready
to switch over to PKI tokens just yet. So in the short term, memcache
protection is still very useful.

Blueprint information

Status:: Complete

Approver:: None

Priority:: Undefined

Drafter:: None

Direction:: Needs approval

Assignee:: Guang Yee

Definition:: Obsolete

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Completed by: Guang Yee on 2013-10-10

Related branches

Related bugs

Sprints

Whiteboard

this has been implemented in keystoneclient; is this bp specifically referring to keystone? -dolph

it is for keystoneclient. We should just close it as implemented. (gyee)

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.