[openstack-dev] [keystone][tripleo][ansible][puppet][all] changing default token format

Steve Martinelli s.martinelli at gmail.com
Thu Nov 3 14:29:57 UTC 2016


Thanks Alex and Emilien for the quick answer. This was brought up at the
summit by Adam, but I don't think we have to prevent keystone from changing
the default. TripleO and Puppet can still specify UUID as their desired
token format; it is not deprecated or slated for removal. Agreed?

On Thu, Nov 3, 2016 at 10:23 AM, Alex Schultz <aschultz at redhat.com> wrote:

> Hey Steve,
>
> On Thu, Nov 3, 2016 at 8:11 AM, Steve Martinelli <s.martinelli at gmail.com>
> wrote:
> > As a heads up to some of keystone's consuming projects, we will be
> changing
> > the default token format from UUID to Fernet. Many patches have merged to
> > make this possible [1]. The last 2 that you probably want to look at are
> [2]
> > and [3]. The first flips a switch in devstack to make fernet the selected
> > token format, the second makes it default in Keystone itself.
> >
> > [1] https://review.openstack.org/#/q/topic:make-fernet-default
> > [2] DevStack patch: https://review.openstack.org/#/c/367052/
> > [3] Keystone patch: https://review.openstack.org/#/c/345688/
> >
>
> Thanks for the heads up. In puppet openstack we had already
> anticipated this and attempted to do the same for the
> puppet-keystone[0] module as well.  Unfortunately after merging it, we
> found that tripleo wasn't yet prepared to handle the HA implementation
> of fernet tokens so we had to revert it[1].  This shouldn't impact
> anyone currently consuming puppet-keystone as we define uuid as the
> default for now. Our goal is to do something similar this cycle but
> there needs to be some further work in the downstream consumers to
> either define their expected default (of uuid) or support fernet key
> generation correctly.
>
> Thanks,
> -Alex
>
> [0] https://review.openstack.org/#/c/389322/
> [1] https://review.openstack.org/#/c/392332/
>
> > ____________________________________________________________
> ______________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161103/604c2cf1/attachment.html>


More information about the OpenStack-dev mailing list