[openstack-dev] [keystone][fernet] Fernet tokens sync

Boris Bobrov bbobrov at mirantis.com
Fri Mar 27 16:05:59 UTC 2015

On Friday 27 March 2015 17:14:28 Boris Bobrov wrote:
> Hello,
> As you know, keystone introduced non-persistent tokens in kilo -- Fernet
> tokens. These tokens use Fernet keys, that are rotated from time to time. A
> great description of key rotation and replication can be found on [0] and
> [1] (thanks, lbragstad). In HA setup there are multiple nodes with
> Keystone and that requires key replication. How do we do that with new
> Fernet tokens?
> Please keep in mind that the solution should be HA -- there should not be
> any "master" server, pushing keys to slave servers, because master server
> might go down.
> [...]

[0] and [1] in the mail are:

[0]: http://lbragstad.com/?p=133
[1]: http://lbragstad.com/?p=156

After some discussion in #openstack-keystone it seems that token rotation 
should not be an often procedure and that 15 minutes in the blog post was just 
an example for the sake of simple math.

Best regards,
Boris Bobrov

More information about the OpenStack-dev mailing list