glance/releasenotes/notes/multihash-081466a98601da20.yaml
Brian Rosmaita 0b24dbd620 Multihash implementation for Glance
Partially implements blueprint multihash.

Requires glance_store 0.26.1

Co-authored-by: Scott McClymont <scott.mcclymont@verizonwireless.com>
Co-authored-by: Brian Rosmaita <rosmaita.fossdev@gmail.com>

Change-Id: Ib28ea1f6c431db6434dbab2a234018e82d5a6d1a
2018-07-31 21:28:38 -04:00

56 lines
2.8 KiB
YAML

---
features:
- |
This release implements the Glance spec `Secure Hash Algorithm Support
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_
(also known as "multihash"). This feature supplements the current
'checksum' image property with a self-describing secure hash. The
self-description consists of two new image properties:
* ``os_hash_algo`` - this contains the name of the secure hash algorithm
used to generate the value on this image
* ``os_hash_value`` - this is the hexdigest computed by applying the
secure hash algorithm named in the ``os_hash_algo`` property to the
image data
These are read-only image properties and are not user-modifiable.
The secure hash algorithm used is an operator-configurable setting. See
the help text for 'hashing_algorithm' in the sample Glance configuration
file for more information.
The default secure hash algorithm is SHA-512. It should be suitable for
most applications.
The legacy 'checksum' image property, which provides an MD5 message
digest of the image data, is preserved for backward compatibility.
issues:
- |
The ``os_hash_value`` image property, introduced as part of the
`Secure Hash Algorithm Support
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_
("multihash") feature, is limited to 128 characters. This is sufficient
to store 512 bits as a hexadecimal numeral.
- |
The "multihash" implemented in this release (`Secure Hash Algorithm Support
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_)
is computed only for new images. There is no provision for computing
the multihash for existing images. Thus, users should expect to see
JSON 'null' values for the ``os_hash_algo`` and ``os_hash_value`` image
properties on images created prior to the installation of the Rocky
release at your site.
security:
- |
This release implements the Glance spec `Secure Hash Algorithm Support
<https://specs.openstack.org/openstack/glance-specs/specs/rocky/approved/glance/multihash.html>`_,
which introduces a self-describing "multihash" to the image-show response.
This feature supplements the current 'checksum' image property with a
self-describing secure hash. The default hashing algorithm is SHA-512,
which is currently considered secure. In the event that algorithm is
compromised, you will immediately be able to begin using a different
algorithm (as long as it's supported by the Python 'hashlib' library and
has output that fits in 128 characters) by modifying the value of the
'hashing_algorithm' configuration option and either restarting or issuing
a SIGHUP to Glance.