<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 03/09/2016 01:44 AM, Matt Fischer
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAHr1CO8RDeATRuKnzKnbW9bsBp6fMTBrwdBQOTAvGAFg1A_cYA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div
style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><span><span
                    class="">
                    <div><br>
                    </div>
                    <blockquote style="BORDER-LEFT:#b5c4df 5
                      solid;PADDING:0 0 0 5;MARGIN:0 0 0 5">
                      <div>
                        <div>
                          <div dir="ltr">I don't think your example is
                            right: "<span style="font-size:12.8px">PKI
                              will validate that token without going to
                              any keystone server". How would it track
                              revoked tokens? I'm pretty sure that they
                              still get validated, they are stored in
                              the DB even.</span>
                            <div><span style="font-size:12.8px"><br>
                              </span></div>
                            <div><span style="font-size:12.8px">I also
                                disagree that there are different use
                                cases. Just switch to fernet and save
                                yourself what's going to be weeks of
                                pain with probably no improvement in
                                anything with this idea.</span></div>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </span></span>
                <div><br>
                </div>
                <div>Is there any details on how to switch to Fernet for
                  a running cloud ? I can see a migration path where the
                  cloud is stopped, the token format changed and the
                  cloud restarted.</div>
                <div><br>
                </div>
                <div>It seems more complex (and maybe insane, as Adam
                  would say) to do this for a running cloud without
                  disturbing the users of the cloud.</div>
                <div><br>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
        <div class="gmail_extra">It requires a brief outage as you
          switch the provider over. We stopped all but 1 node in the
          cluster then modified it, we did liberty + fernet + apache all
          at the same time to avoid multiple restarts. As for the other
          services, newer keystone middlewares will realize "hey my
          token doesn't work anymore" and will get a new one. At the
          time we did ours, this was not the case, so we bounced every
          service that uses the middleware. All in all in was a brief
          outage, basically the length of time to upgrade a few packages
          and restart a service on a single node.. My opinion is that it
          was far less invasive than something like upgrading neutron,
          but the APIs were down for a brief time.</div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">Come to my talk in Austin and we'll
          cover it a bit more. <br>
        </div>
      </div>
    </blockquote>
    Captured it here.  Please update with notes.<br>
    <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/keystone/+bug/1555137">https://bugs.launchpad.net/keystone/+bug/1555137</a><br>
    <br>
    <br>
    <blockquote
cite="mid:CAHr1CO8RDeATRuKnzKnbW9bsBp6fMTBrwdBQOTAvGAFg1A_cYA@mail.gmail.com"
      type="cite">
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>