From 74aa04e2ca7942cb1e1a86dcbaffeb72d260ccd7 Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Wed, 1 May 2013 09:41:57 -0400 Subject: [PATCH] Remove insecure default for signing_dir option. The sample api-paste.ini file included an insecure value for the signing_dir option for the keystone authtoken middleware. Comment out the option so that we just rely on the default behavior by default. Fix bug 1174608. Conflicts: etc/nova/api-paste.ini Change-Id: I6189788953d789c34456bbe150b8ed6ce6f68403 (cherry picked from commit 58d6879b1caaa750c39c8e452a0634c24ffef2ce) --- etc/nova/api-paste.ini | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini index 3970974..95307b2 100644 --- a/etc/nova/api-paste.ini +++ b/etc/nova/api-paste.ini @@ -124,4 +124,7 @@ auth_protocol = http admin_tenant_name = %SERVICE_TENANT_NAME% admin_user = %SERVICE_USER% admin_password = %SERVICE_PASSWORD% -signing_dir = /tmp/keystone-signing-nova +# signing_dir is configurable, but the default behavior of the authtoken +# middleware should be sufficient. It will create a temporary directory +# in the home directory for the user the nova process is running as. +#signing_dir = /var/lib/nova/keystone-signing -- 1.8.1.5