[openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

Clint Byrum clint at fewbar.com
Sat Aug 1 18:20:52 UTC 2015


Meta: Bogdan, please do try to get your email client to reply with references
to the thread, so it doesn't create a new thread.

Excerpts from bdobrelia's message of 2015-08-01 09:27:17 -0700:
> I suggest to use pacemaker multistate clone resource to rotate and rsync fernet tokens from local directories across cluster nodes. The resource prototype is described here https://etherpad.openstack.org/p/fernet_tokens_pacemaker
> Pros: Pacemaker will care about CAP/split-brain stuff for us, we just design rotate and rsync logic. Also no shared FS/DB involved but only Corosync CIB - to store few internal resource state related params, not tokens.
> Cons: Keystone nodes hosting fernet tokens directories must be members of pacemaker cluster. Also custom OCF script should be created to implement this.

This is a massive con. And there is no need for this level of complexity.

Just making sure you only ever run key rotation in one place concurrently,
followed by an rsync push to all other nodes, is a lot simpler to enact
than pacemaker.

That said, both of those solutions benefit from a feature of the keys
being in the local filesystem: it decouples the way you do HA from the way
you provide a performant service entirely.



More information about the OpenStack-dev mailing list