[openstack-dev] [keystone][fernet] Fernet tokens sync

David Stanek dstanek at dstanek.com
Fri Mar 27 15:48:29 UTC 2015

On Fri, Mar 27, 2015 at 10:14 AM, Boris Bobrov <bbobrov at mirantis.com> wrote:

> As you know, keystone introduced non-persistent tokens in kilo -- Fernet
> tokens. These tokens use Fernet keys, that are rotated from time to time. A
> great description of key rotation and replication can be found on [0] and
> [1]
> (thanks, lbragstad). In HA setup there are multiple nodes with Keystone and
> that requires key replication. How do we do that with new Fernet tokens?
> Please keep in mind that the solution should be HA -- there should not be
> any
> "master" server, pushing keys to slave servers, because master server
> might go
> down.

In my test environment I was using ansible to sync the keys across multiple
nodes. Keystone should probably provide some guidance around this process,
but I don't think it should deal with the actual syncing. I think that's
better left to an installation's existing configuration management tools.

blog: http://www.traceback.org
twitter: http://twitter.com/dstanek
www: http://dstanek.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150327/594ed70d/attachment.html>

More information about the OpenStack-dev mailing list