<div dir="ltr">I think the success of this, or a revived fernet-backend spec, is going to have a hard requirement on the outcome of the configuration opts discussion [0]. When we attempted to introduce an abstraction for fernet keys previously, it led down a rabbit hole of duplicated work across implementations, which was part of the reason for dropping the spec.<div><div><br></div><div><br></div><div>[0] <a href="http://lists.openstack.org/pipermail/openstack-dev/2017-March/113941.html">http://lists.openstack.org/pipermail/openstack-dev/2017-March/113941.html</a></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 16, 2017 at 10:12 AM, Emilien Macchi <span dir="ltr"><<a href="mailto:emilien@redhat.com" target="_blank">emilien@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Mar 14, 2017 at 1:27 PM, Emilien Macchi <<a href="mailto:emilien@redhat.com">emilien@redhat.com</a>> wrote:<br>
> Folks,<br>
><br>
> I found useful to share a spec that I started to write this morning:<br>
> <a href="https://review.openstack.org/445592" rel="noreferrer" target="_blank">https://review.openstack.org/<wbr>445592</a><br>
><br>
> The goal is to do Keystone Fernet keys rotations in a way that scales<br>
> and is secure, by using the standard tools and not re-inventing the<br>
> wheel.<br>
> In other words: if you're working on Keystone or TripleO or any other<br>
> deployment tool: please read the spec and give any feedback.<br>
><br>
> We would like to find a solution that would work for all OpenStack<br>
> deployment tools (Kolla, OSA, Fuel, TripleO, Helm, etc) but I sent the<br>
> specs to tripleo project<br>
> to get some feedback.<br>
><br>
> If you already has THE solution that you think is the best one, then<br>
> we would be very happy to learn from it in a comment directly in the<br>
> spec.<br>
><br>
<br>
</span>After 2 days of review from Keystone, TripleO, OSA (and probably some<br>
groups I missed), it's pretty clear the problem is already being fixed<br>
in different places in different ways and that's bad.<br>
IMHO we should engage some work to fix it in Keystone and investigate<br>
again a storage backend for Keystone tokens.<br>
<br>
The Keystone specs that started this investigation was removed for Pike:<br>
<a href="https://review.openstack.org/#/c/439194/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/439194/</a><br>
<br>
I see 2 options here:<br>
<br>
- we keep duplicating efforts and let deployers implement their own solutions.<br>
<br>
- we work with Keystone team to re-enable the spec and move forward to<br>
solve the problem in Keystone itself, therefore for all deployments<br>
tools in OpenStack (my favorite option).<br>
<br>
<br>
I would like to hear from Keystone folks what are the main blockers<br>
for option #2 and if this is only a human resource issue or if there<br>
is some technical points we need to solve (in that case, it could be<br>
done in the specs).<br>
<br>
<br>
Thanks,<br>
<div class="HOEnZb"><div class="h5">--<br>
Emilien Macchi<br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</div></div></blockquote></div><br></div>