diff options
author | Brian Rosmaita <rosmaita.fossdev@gmail.com> | 2018-08-21 22:24:22 -0400 |
---|---|---|
committer | Brian Rosmaita <rosmaita.fossdev@gmail.com> | 2018-09-07 14:50:24 -0400 |
commit | 8fd7e8c664e82d805dc4a12534b3d7e3fcaac606 (patch) | |
tree | 093e160501a00436901ee788efab88cee3c70975 /releasenotes/notes | |
parent | a757757a106d9ed6c06e5a2f38ed27e77d2221f5 (diff) | |
download | python-glanceclient-8fd7e8c664e82d805dc4a12534b3d7e3fcaac606.tar.gz |
Use "multihash" for data download validation
When the Glance "multihash" is available on an image, the
glanceclient should use it instead of MD5 to validate data
downloads. For cases in which the multihash specifies an
algorithm not available to the client, an option is added
to the image-download command that will allow fallback to
the legacy MD5 checksum verification.
Change-Id: I4ee6e5071eca08d3bbedceda2acc170e7ed21a6b
Closes-bug: #1788323
Diffstat (limited to 'releasenotes/notes')
-rw-r--r-- | releasenotes/notes/multihash-download-verification-596e91bf7b68e7db.yaml | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/releasenotes/notes/multihash-download-verification-596e91bf7b68e7db.yaml b/releasenotes/notes/multihash-download-verification-596e91bf7b68e7db.yaml new file mode 100644 index 0000000..f32b4a9 --- /dev/null +++ b/releasenotes/notes/multihash-download-verification-596e91bf7b68e7db.yaml @@ -0,0 +1,41 @@ +--- +features: + - | + This release adds verification of image data downloads using the Glance + "multihash" feature introduced in the OpenStack Rocky release. When + the ``os_hash_value`` is populated on an image, the glanceclient will + verify this value by computing the hexdigest of the downloaded data + using the algorithm specified by the image's ``os_hash_algo`` property. + + Because the secure hash algorithm specified is determined by the cloud + provider, it is possible that the ``os_hash_algo`` may identify an + algorithm not available in the version of the Python ``hashlib`` library + used by the client. In such a case the download will fail due to an + unsupported hash type. In the event this occurs, a new option, + ``--allow-md5-fallback``, is introduced to the ``image-download`` command. + When present, this option will allow the glanceclient to use the legacy + MD5 checksum to verify the downloaded data if the secure hash algorithm + specified by the ``os_hash_algo`` image property is not supported. + + Note that the fallback is *not* used in the case where the algorithm is + supported but the hexdigest of the downloaded data does not match the + ``os_hash_value``. In that case the download fails regardless of whether + the option is present or not. + + Whether using the ``--allow-md5-fallback`` option is a good idea depends + upon the user's expectations for the verification. MD5 is an insecure + hashing algorithm, so if you are interested in making sure that the + downloaded image data has not been replaced by a datastream carefully + crafted to have the same MD5 checksum, then you should not use the + fallback. If, however, you are using Glance in a trusted environment + and your interest is simply to verify that no bits have flipped during + the data transfer, the MD5 fallback is sufficient for that purpose. That + being said, it is our recommendation that the multihash should be used + whenever possible. +security: + - | + This release of the glanceclient uses the Glance "multihash" feature, + introduced in Rocky, to use a secure hashing algorithm to verify the + integrity of downloaded data. Legacy images without the "multihash" + image properties (``os_hash_algo`` and ``os_hash_value``) are verified + using the MD5 ``checksum`` image property. |