From 74aa04e2ca7942cb1e1a86dcbaffeb72d260ccd7 Mon Sep 17 00:00:00 2001
From: Russell Bryant <rbryant@redhat.com>
Date: Wed, 1 May 2013 09:41:57 -0400
Subject: [PATCH] Remove insecure default for signing_dir option.

The sample api-paste.ini file included an insecure value for the
signing_dir option for the keystone authtoken middleware.  Comment out
the option so that we just rely on the default behavior by default.

Fix bug 1174608.

Conflicts:
	etc/nova/api-paste.ini

Change-Id: I6189788953d789c34456bbe150b8ed6ce6f68403
(cherry picked from commit 58d6879b1caaa750c39c8e452a0634c24ffef2ce)
---
 etc/nova/api-paste.ini | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
index 3970974..95307b2 100644
--- a/etc/nova/api-paste.ini
+++ b/etc/nova/api-paste.ini
@@ -124,4 +124,7 @@ auth_protocol = http
 admin_tenant_name = %SERVICE_TENANT_NAME%
 admin_user = %SERVICE_USER%
 admin_password = %SERVICE_PASSWORD%
-signing_dir = /tmp/keystone-signing-nova
+# signing_dir is configurable, but the default behavior of the authtoken
+# middleware should be sufficient.  It will create a temporary directory
+# in the home directory for the user the nova process is running as.
+#signing_dir = /var/lib/nova/keystone-signing
-- 
1.8.1.5