Open Stack

On Monday 03 August 2015 21:05:00 David Stanek wrote:
> On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbobrov at mirantis.com> 
wrote:
> > On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum <clint at fewbar.com> 
wrote:
> > > This too is overly complex and will cause failures. If you replace key
> > > 0,
> > > 
> > > you will stop validating tokens that were encrypted with the old key 
0.
> > 
> > No. Key 0 is replaced after rotation.
> > 
> > 
> > 
> > Also, come on, does http://paste.openstack.org/show/406674/ look 
overly
> > complex? (it should be launched from Fuel master node).
> 
> I'm reading this on a small phone, so I may have it wrong, but the script
> appears to be broken.
> 
> It will ssh to node-1 and rotate. In the simplest case this takes key 0 and
> moves it to the next highest key number. Then a new key 0 is generated.
> 
> Later there is a loop that will again ssh into node-1 and run the rotation
> script. If there is a limit set on the number of keys and you are at that
> limit a key will be deleted. This extra rotation on node-1 means that it's
> possible that it has a different set of keys than are on node-2 and 
node-3.

You are absolutely right. Node-1 should be excluded from the loop.

pinc also lacks "-c 1".

I am sure that other issues can be found.

In my excuse I want to say that I never ran the script and wrote it just to 
show how simple it should be. Thank for review though!

I also hope that no one is going to use a script from a mailing list.

> What's the issue with just a simple rsync of the directory?

None I think. I just want to reuse the interface provided by keystone-
manage.

-- 
С наилучшими пожеланиями,
Boris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/680221f9/attachment.html>