[openstack-dev] [keystone] Token providers and Fernet as the default

Brant Knudson blk at acm.org
Tue May 3 13:49:35 UTC 2016

On Mon, May 2, 2016 at 6:26 PM, Clint Byrum <clint at fewbar.com> wrote:

> Hello! I enjoyed very much listening in on the default token provider
> work session last week in Austin, so thanks everyone for participating
> in that. I did not speak up then, because I wasn't really sure of this
> idea that has been bouncing around in my head, but now I think it's the
> case and we should consider this.
> Right now, Keystones without fernet keys, are issuing UUID tokens. These
> tokens will be in the database, and valid, for however long the token
> TTL is.
> The moment that one changes the configuration, keystone will start
> rejecting these tokens. This will cause disruption, and I don't think
> that is fair to the users who will likely be shown new bugs in their
> code at a very unexpected moment.
> I wonder if one could merge UUID and Fernet into a provider which
> handles this transition gracefully:
> if self._fernet_keys:

This would have to check that there's an active fernet key and not just a
staging one. You'll want to push out a staging key to all the nodes first
to enable fernet validation before pushing out the active key to enable
token creation. Maybe there's a trick to getting keystone-manage
fernet_setup to only setup a staging key, or you just copy that key around.

Also, we could have keystone keep track of if there aren't any uuid tokens
since there's no need to query the database everytime we get an invalid
token just to see an empty table.

- Brant

>   return self._issue_fernet_token()
> else:
>   return self._issue_uuid_token()
> And in the validation, do the same, but also with an eye toward keeping
> the UUID tokens alive:
> if self._fernet_keys:

>     self._validate_fernet_token()
>   except InvalidFernetFormatting:
>     self._validate_uuid_token()
> else:
>   self._validate_uuid_token()
> So that while one is rolling out new keystone nodes and syncing fernet
> keys, all tokens issued would validated properly, with minimal extra
> cost to support both (basically just a number of UUID tokens will need
> to be parsed twice, once as Fernet, and once as UUID).
> Thoughts? I think doing this would make changing the default fairly
> uncontroversial.
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

- Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160503/029cec5c/attachment.html>

More information about the OpenStack-dev mailing list