[openstack-dev] [keystone][fernet] Fernet tokens sync
Boris Bobrov
bbobrov at mirantis.com
Fri Mar 27 16:05:59 UTC 2015
On Friday 27 March 2015 17:14:28 Boris Bobrov wrote:
> Hello,
>
> As you know, keystone introduced non-persistent tokens in kilo -- Fernet
> tokens. These tokens use Fernet keys, that are rotated from time to time. A
> great description of key rotation and replication can be found on [0] and
> [1] (thanks, lbragstad). In HA setup there are multiple nodes with
> Keystone and that requires key replication. How do we do that with new
> Fernet tokens?
>
> Please keep in mind that the solution should be HA -- there should not be
> any "master" server, pushing keys to slave servers, because master server
> might go down.
>
> [...]
[0] and [1] in the mail are:
[0]: http://lbragstad.com/?p=133
[1]: http://lbragstad.com/?p=156
After some discussion in #openstack-keystone it seems that token rotation
should not be an often procedure and that 15 minutes in the blog post was just
an example for the sake of simple math.
--
Best regards,
Boris Bobrov
More information about the OpenStack-dev
mailing list