[openstack-dev] [keystone][fernet] Fernet tokens sync

Morgan Fainberg morgan.fainberg at gmail.com
Fri Mar 27 16:13:52 UTC 2015


Matt,

The idea is you have a staging key (next key) and you generate that, and sync it out. Once it is synced out you can rotate to it as needed. All keys on the server are valid for token validation. Only the "active" key is used for a given keystone to issue a token.

Lance has some ansible stuff he put together for syncing the keys: https://github.com/lbragstad/revolver

--Morgan

Sent via mobile

> On Mar 27, 2015, at 09:02, Matt Fischer <matt at mattfischer.com> wrote:
> 
> Do the keys all need to be changed at once in a cluster? If so that makes it difficult for puppet at least how we do puppet deployments.
> 
> Also, David can you share your ansible script for this?
> 
>> On Fri, Mar 27, 2015 at 9:48 AM, David Stanek <dstanek at dstanek.com> wrote:
>> 
>>> On Fri, Mar 27, 2015 at 10:14 AM, Boris Bobrov <bbobrov at mirantis.com> wrote:
>>> As you know, keystone introduced non-persistent tokens in kilo -- Fernet
>>> tokens. These tokens use Fernet keys, that are rotated from time to time. A
>>> great description of key rotation and replication can be found on [0] and [1]
>>> (thanks, lbragstad). In HA setup there are multiple nodes with Keystone and
>>> that requires key replication. How do we do that with new Fernet tokens?
>>> 
>>> Please keep in mind that the solution should be HA -- there should not be any
>>> "master" server, pushing keys to slave servers, because master server might go
>>> down.
>> 
>> In my test environment I was using ansible to sync the keys across multiple nodes. Keystone should probably provide some guidance around this process, but I don't think it should deal with the actual syncing. I think that's better left to an installation's existing configuration management tools.
>> 
>> 
>> -- 
>> David
>> blog: http://www.traceback.org
>> twitter: http://twitter.com/dstanek
>> www: http://dstanek.com
>> 
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150327/4aec5b87/attachment.html>


More information about the OpenStack-dev mailing list