fcaefdbe74
In order to provide increased security, it is necessary to hash the rescue password in advance of it being stored into the database and to provide some sort of control for hash strength. This change IS incompatible with prior IPA versions with regard to use of the rescue feature, but I fully expect we will backport the change to IPA on to stable branches and perform a release as it is a security improvement. Change-Id: I1e118467a536229de6f7c245c1c48f0af38dcef2 Story: 2006777 Task: 27301
24 lines
807 B
YAML
24 lines
807 B
YAML
---
|
|
features:
|
|
- |
|
|
Passwords for ``rescue`` operation are now hashed for
|
|
transmission to the ``ironic-python-agent``. This functionality
|
|
requires ``ironic-python-agent`` version ``6.0.0``.
|
|
|
|
The setting ``[conductor]rescue_password_hash_algorithm``
|
|
now defaults to ``sha256``, and may be set to
|
|
``sha256``, or ``sha512``.
|
|
upgrades:
|
|
- |
|
|
The version of ``ironic-python-agent`` should be upgraded to
|
|
at least version ``6.0.0`` for rescue passwords to be hashed
|
|
for transmission.
|
|
security:
|
|
- |
|
|
Operators wishing to enforce all rescue passwords to be hashed
|
|
should use the ``[conductor]require_rescue_password_hashed``
|
|
setting and set it to a value of ``True``.
|
|
|
|
This setting will be changed to a default of ``True`` in the
|
|
Victoria development cycle.
|