[openstack-dev] [keystone][fernet] Fernet tokens sync

Matt Fischer matt at mattfischer.com
Fri Mar 27 16:02:13 UTC 2015


Do the keys all need to be changed at once in a cluster? If so that makes
it difficult for puppet at least how we do puppet deployments.

Also, David can you share your ansible script for this?

On Fri, Mar 27, 2015 at 9:48 AM, David Stanek <dstanek at dstanek.com> wrote:

>
> On Fri, Mar 27, 2015 at 10:14 AM, Boris Bobrov <bbobrov at mirantis.com>
> wrote:
>
>> As you know, keystone introduced non-persistent tokens in kilo -- Fernet
>> tokens. These tokens use Fernet keys, that are rotated from time to time.
>> A
>> great description of key rotation and replication can be found on [0] and
>> [1]
>> (thanks, lbragstad). In HA setup there are multiple nodes with Keystone
>> and
>> that requires key replication. How do we do that with new Fernet tokens?
>>
>> Please keep in mind that the solution should be HA -- there should not be
>> any
>> "master" server, pushing keys to slave servers, because master server
>> might go
>> down.
>>
>
> In my test environment I was using ansible to sync the keys across
> multiple nodes. Keystone should probably provide some guidance around this
> process, but I don't think it should deal with the actual syncing. I think
> that's better left to an installation's existing configuration management
> tools.
>
>
> --
> David
> blog: http://www.traceback.org
> twitter: http://twitter.com/dstanek
> www: http://dstanek.com
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150327/615b2124/attachment.html>


More information about the OpenStack-dev mailing list