Open Stack

On Saturday 01 August 2015 16:27:17 bdobrelia at mirantis.com wrote:
> I suggest to use pacemaker multistate clone resource to rotate and 
rsync
> fernet tokens from local directories across cluster nodes. The resource
> prototype is described here
> https://etherpad.openstack.org/p/fernet_tokens_pacemaker> Pros: 
Pacemaker
> will care about CAP/split-brain stuff for us, we just design rotate and
> rsync logic. Also no shared FS/DB involved but only Corosync CIB - to 
store
> few internal resource state related params, not tokens. Cons: Keystone
> nodes hosting fernet tokens directories must be members of pacemaker
> cluster. Also custom OCF script should be created to implement this. __
> Regards,
> Bogdan Dobrelya.
> IRC: bogdando

Looks complex.

I suggest this kind of bash or python script, running on Fuel master node:

0. Check that all controllers are online;
1. Go to one of the controllers, rotate keys there;
2. Fetch key 0 from there;
3. For each other controller rotate keys there and put the 0-key instead of 
their new 0-key.
4. If any of the nodes fail to get new keys (because they went offline or for 
some other reason) revert the rotate (move the key with the biggest index 
back to 0).

The script can be launched by cron or by button in Fuel.

I don't see anything critically bad if one rotation/sync event fails.

> Matt Fischer also discusses key rotation here:
> 
>   http://www.mattfischer.com/blog/?p=648
> 
> And here:
> 
>   http://www.mattfischer.com/blog/?p=665
> 
> On Mon, Jul 27, 2015 at 2:30 PM, Dolph Mathews <dolph.mathews at 
gmail.com>
> wrote:
> …

-- 
С наилучшими пожеланиями,
Boris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150802/5ec31909/attachment.html>