[openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

David Stanek dstanek at dstanek.com
Tue Aug 4 01:05:00 UTC 2015


On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbobrov at mirantis.com> wrote:

> On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum <clint at fewbar.com> wrote:
>
> > This too is overly complex and will cause failures. If you replace key 0,
>
> > you will stop validating tokens that were encrypted with the old key 0.
>
>
>
> No. Key 0 is replaced after rotation.
>
>
>
> Also, come on, does http://paste.openstack.org/show/406674/ look overly
> complex? (it should be launched from Fuel master node).
>

I'm reading this on a small phone, so I may have it wrong, but the script
appears to be broken.

It will ssh to node-1 and rotate. In the simplest case this takes key 0 and
moves it to the next highest key number. Then a new key 0 is generated.

Later there is a loop that will again ssh into node-1 and run the rotation
script. If there is a limit set on the number of keys and you are at that
limit a key will be deleted. This extra rotation on node-1 means that it's
possible that it has a different set of keys than are on node-2 and node-3.

What's the issue with just a simple rsync of the directory?

-- 
David
blog: http://www.traceback.org
twitter: http://twitter.com/dstanek
www: http://dstanek.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150803/65b8c113/attachment.html>


More information about the OpenStack-dev mailing list