Message 322539 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	rico-lin
Recipients	christian.heimes, rico-lin
Date	2018-07-28.10:31:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1532773912.07.0.56676864532.issue34257@psf.upfronthosting.co.za>
In-reply-to

Content
Currently, SSL module [1] only allows file path as input. That led to a lot of libraries only accept file path to a local file. This lead to issues when people who trigger this python code, didn't have any right to access a local file. Here are two examples: 1. In multi-cloud orchestration service design, you (as an operator) like to create resources in another cloud with orchestration service(like Heat in OpenStack), but you like to set up SSL for this connection. You should not allow accessing a local file from the first cloud (where the orchestration service is running). And you can't guarantee the first cloud provider allow you to inject a Cert file in their environment. In this case we need to allow operators to input their own cert information and parse it to ssl option for request. 2. Serverless. In serverless, we give a python code and cloud will provide an environment to run it. We can try to inject cert when we try to create environment for operators, but it will be more secure to directly pass it to python instead of store it around. The first case is what we're looking for an answer. Didn't look into the design for the second case, but I guess that might face the same issue. [1] https://github.com/python/cpython/blob/master/Modules/_ssl.c#L3683

Currently, SSL module [1] only allows file path as input.
That led to a lot of libraries only accept file path to a local file.
This lead to issues when people who trigger this python code, didn't have any right to access a local file. Here are two examples:

1. In multi-cloud orchestration service design, you (as an operator) like to create resources in another cloud with orchestration service(like Heat in OpenStack), but you like to set up SSL for this connection. You should not allow accessing a local file from the first cloud (where the orchestration service is running). And you can't guarantee the first cloud provider allow you to inject a Cert file in their environment. In this case we need to allow operators to input their own cert information and parse it to ssl option for request.

2. Serverless. In serverless, we give a python code and cloud will provide an environment to run it. We can try to inject cert when we try to create environment for operators, but it will be more secure to directly pass it to python instead of store it around.

The first case is what we're looking for an answer. Didn't look into the design for the second case, but I guess that might face the same issue.


[1] https://github.com/python/cpython/blob/master/Modules/_ssl.c#L3683

History
Date	User	Action	Args
2018-07-28 10:31:52	rico-lin	set	recipients: + rico-lin, christian.heimes
2018-07-28 10:31:52	rico-lin	set	messageid: <1532773912.07.0.56676864532.issue34257@psf.upfronthosting.co.za>
2018-07-28 10:31:52	rico-lin	link	issue34257 messages
2018-07-28 10:31:51	rico-lin	create