Open Stack

Hi, Lance,

May we store the keys in Barbican, can the  key rotation be done upon Barbican? And if we use Barican as the repository, then it’s easier for Key distribution and rotation in multiple KeyStone deployment scenario, the database replication (sync. or async.) capability could be leveraged.

Best Regards
Chaoyi Huang ( Joe Huang )

From: Lance Bragstad [mailto:lbragstad at gmail.com]
Sent: Tuesday, August 04, 2015 10:56 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys


On Tue, Aug 4, 2015 at 9:28 AM, Boris Bobrov <bbobrov at mirantis.com<mailto:bbobrov at mirantis.com>> wrote:
On Tuesday 04 August 2015 08:06:21 Lance Bragstad wrote:
> On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov <bbobrov at mirantis.com<mailto:bbobrov at mirantis.com>> wrote:
> > On Monday 03 August 2015 21:05:00 David Stanek wrote:
> > > On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbobrov at mirantis.com<mailto:bbobrov at mirantis.com>>
> >
> > wrote:
> > > > Also, come on, does http://paste.openstack.org/show/406674/ look
> > > > overly
> > > > complex? (it should be launched from Fuel master node).
> > >
> > > I'm reading this on a small phone, so I may have it wrong, but the
> > > script
> > >
> > > appears to be broken.
> > >
> > >
> > >
> > > It will ssh to node-1 and rotate. In the simplest case this takes key
> > > 0
> >
> > and
> >
> > > moves it to the next highest key number. Then a new key 0 is
> > > generated.
> > >
> > >
> > >
> > > Later there is a loop that will again ssh into node-1 and run the
> >
> > rotation
> >
> > > script. If there is a limit set on the number of keys and you are at
> > > that
> > >
> > > limit a key will be deleted. This extra rotation on node-1 means that
> >
> > it's
> >
> > > possible that it has a different set of keys than are on node-2 and
> >
> > node-3.
> >
> >
> >
> > You are absolutely right. Node-1 should be excluded from the loop.
> >
> >
> >
> > pinc also lacks "-c 1".
> >
> >
> >
> > I am sure that other issues can be found.
> >
> >
> >
> > In my excuse I want to say that I never ran the script and wrote it just
> > to show how simple it should be. Thank for review though!
> >
> >
> >
> > I also hope that no one is going to use a script from a mailing list.
> >
> > > What's the issue with just a simple rsync of the directory?
> >
> > None I think. I just want to reuse the interface provided by
> > keystone-manage.
>
> You wanted to use the interface from keystone-manage to handle the actual
> promotion of the staged key, right? This is why there were two
> fernet_rotate commands issued?
Right. Here is the fixed version (please don't use it anyway):
http://paste.openstack.org/show/406862/

Note, this doesn't take into account the initial key repository creation, does it?

Here is a similar version that relies on rsync for the distribution after the initial key rotation [0].

[0] http://cdn.pasteraw.com/d6odnvtt1u9zsw5mg4xetzgufy1mjua



--
Best regards,
Boris Bobrov

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150805/fbb54493/attachment.html>