[openstack-dev] [keystone][fernet] Fernet tokens sync

Jay Pipes jaypipes at gmail.com
Fri Mar 27 17:30:41 UTC 2015

On Fri, Mar 27, 2015 at 11:48:29AM -0400, David Stanek wrote:
> On Fri, Mar 27, 2015 at 10:14 AM, Boris Bobrov <bbobrov at mirantis.com> wrote:
> > As you know, keystone introduced non-persistent tokens in kilo -- Fernet
> > tokens. These tokens use Fernet keys, that are rotated from time to time. A
> > great description of key rotation and replication can be found on [0] and
> > [1]
> > (thanks, lbragstad). In HA setup there are multiple nodes with Keystone and
> > that requires key replication. How do we do that with new Fernet tokens?
> >
> > Please keep in mind that the solution should be HA -- there should not be
> > any
> > "master" server, pushing keys to slave servers, because master server
> > might go
> > down.
> >
> In my test environment I was using ansible to sync the keys across multiple
> nodes. Keystone should probably provide some guidance around this process,
> but I don't think it should deal with the actual syncing. I think that's
> better left to an installation's existing configuration management tools.

Agreed. This is the same reason why I don't support building in
replication functionality to Glance, either. There's lots of external
tools that can do this kind of thing, from shared filesystems to
BitTorrent, to using Ansible to orchestrate stuff...

The best solution is one we don't have to write ourselves.


More information about the OpenStack-dev mailing list