<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/09/2016 01:44 AM, Matt Fischer
wrote:<br>
</div>
<blockquote
cite="mid:CAHr1CO8RDeATRuKnzKnbW9bsBp6fMTBrwdBQOTAvGAFg1A_cYA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><span><span
class="">
<div><br>
</div>
<blockquote style="BORDER-LEFT:#b5c4df 5
solid;PADDING:0 0 0 5;MARGIN:0 0 0 5">
<div>
<div>
<div dir="ltr">I don't think your example is
right: "<span style="font-size:12.8px">PKI
will validate that token without going to
any keystone server". How would it track
revoked tokens? I'm pretty sure that they
still get validated, they are stored in
the DB even.</span>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">I also
disagree that there are different use
cases. Just switch to fernet and save
yourself what's going to be weeks of
pain with probably no improvement in
anything with this idea.</span></div>
</div>
</div>
</div>
</blockquote>
</span></span>
<div><br>
</div>
<div>Is there any details on how to switch to Fernet for
a running cloud ? I can see a migration path where the
cloud is stopped, the token format changed and the
cloud restarted.</div>
<div><br>
</div>
<div>It seems more complex (and maybe insane, as Adam
would say) to do this for a running cloud without
disturbing the users of the cloud.</div>
<div><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<div class="gmail_extra">It requires a brief outage as you
switch the provider over. We stopped all but 1 node in the
cluster then modified it, we did liberty + fernet + apache all
at the same time to avoid multiple restarts. As for the other
services, newer keystone middlewares will realize "hey my
token doesn't work anymore" and will get a new one. At the
time we did ours, this was not the case, so we bounced every
service that uses the middleware. All in all in was a brief
outage, basically the length of time to upgrade a few packages
and restart a service on a single node.. My opinion is that it
was far less invasive than something like upgrading neutron,
but the APIs were down for a brief time.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Come to my talk in Austin and we'll
cover it a bit more. <br>
</div>
</div>
</blockquote>
Captured it here. Please update with notes.<br>
<a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/keystone/+bug/1555137">https://bugs.launchpad.net/keystone/+bug/1555137</a><br>
<br>
<br>
<blockquote
cite="mid:CAHr1CO8RDeATRuKnzKnbW9bsBp6fMTBrwdBQOTAvGAFg1A_cYA@mail.gmail.com"
type="cite">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>