From 2b6e9ac47127453fdf907f3d9b56c71260ed0ba2 Mon Sep 17 00:00:00 2001 From: Boris Pavlovic Date: Mon, 12 Jun 2017 17:08:33 -0700 Subject: [PATCH] Improve OpenStack performance by redcuing bcrypt hasing rounds number Reduce bcrypt hashing rounds from 12 to 4 (minimal possilbe). This is going to imporve a lot of perforamcne of OpenStack. Bcrypt is hashing algorithm that is designed to use a lot of resources and in that way stops brutforce attacks. It's exponential algorithm that depends on amount of rounds. By default they use 12 rounds which is quite high value, good enough for real secure production enviorments. In case of DevStack it's going to slow down all authentication by many times. Rally shows about 5 times slownest (adding 2-5 seconds to every authenticate) DevStack is meant for developemnt & CI so performance is way more important than security. Change-Id: Id8c763d63cb91f37a774f9400f35c309f37d6f12 --- lib/keystone | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/keystone b/lib/keystone index eaed937d2e..7994065bbd 100644 --- a/lib/keystone +++ b/lib/keystone @@ -127,6 +127,12 @@ KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2} KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5} KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2} +# Number of bcrypt hashing rounds, increasing number exponentially increases required +# resources to generate password hash. This is very effective way to protect from +# bruteforce attacks. 4 is minimal value that can be specified for bcrypt and +# it works way faster than default 12. Minimal value is great for CI and development +# however may not be suitable for real production. +KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4} # Functions # --------- @@ -225,6 +231,7 @@ function configure_keystone { fi iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND" + iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND" iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND" iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND"