[openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

Matt Fischer matt at mattfischer.com
Wed Mar 9 06:44:45 UTC 2016

> I don't think your example is right: "PKI will validate that token
> without going to any keystone server". How would it track revoked tokens?
> I'm pretty sure that they still get validated, they are stored in the DB
> even.
> I also disagree that there are different use cases. Just switch to fernet
> and save yourself what's going to be weeks of pain with probably no
> improvement in anything with this idea.
> Is there any details on how to switch to Fernet for a running cloud ? I
> can see a migration path where the cloud is stopped, the token format
> changed and the cloud restarted.
> It seems more complex (and maybe insane, as Adam would say) to do this for
> a running cloud without disturbing the users of the cloud.
It requires a brief outage as you switch the provider over. We stopped all
but 1 node in the cluster then modified it, we did liberty + fernet +
apache all at the same time to avoid multiple restarts. As for the other
services, newer keystone middlewares will realize "hey my token doesn't
work anymore" and will get a new one. At the time we did ours, this was not
the case, so we bounced every service that uses the middleware. All in all
in was a brief outage, basically the length of time to upgrade a few
packages and restart a service on a single node.. My opinion is that it was
far less invasive than something like upgrading neutron, but the APIs were
down for a brief time.

Come to my talk in Austin and we'll cover it a bit more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160308/de71647d/attachment.html>

More information about the OpenStack-dev mailing list