[openstack-dev] [keystone]PKI token VS Fernet token

joehuang joehuang at huawei.com
Sat Feb 25 04:09:45 UTC 2017

Hello, Matt,

Thank you for your reply, just as what you mentioned, for the slow changed data, aync. replication should work. My concerns is that the impact of replication delay, for example (though it's quite low chance to happen):

1) Add new user/group/role in RegionOne, before the new user/group/role are replicated to RegionTwo, the new user begin to access RegionTwo service, then because the data has not arrived yet, the user's request to RegionTwo may be rejected for the token vaildation failed in local KeyStone.

2)In token revoke case. If we remove the user'role in RegionOne, the token in RegionOne will be invalid immediately, but before the remove operation replicated to the RegionTwo, the user can still use the token to access the services in RegionTwo. Although it may last in very short interval.

Is there someone can evaluate the security risk is affordable or not.

Best Regards
Chaoyi Huang (joehuang)
From: Matt Fischer [matt at mattfischer.com]
Sent: 25 February 2017 11:38
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [keystone]PKI token VS Fernet token

At last, we still have one question:
For public cloud, it is very common that multi regions are deployed. And the distance is usually very far between the regions. So the transport delay is really a problem. Fernet token requires the data must be the same. Because of the slow connection and high time delay, in our opinion, it is unrealistic that let the keystones from different regions to use the same keystone datacenter. Any idea about this problem? Thanks.

There's nothing in Fernet tokens that would cause an issue with the transportation delay. You could mail the Fernet keys to each region and you're still fine, why? Because key rotation means that the "next key" is already in place on every box when you rotate keys. There is a widely held misconception that all keystone nodes must instantaneously sync keys in every region or it won't work, that is simply not true. In fact the main reason we switched to Fernet was to REDUCE the load on our cross-region replication. Without a database full of tokens to deal with, there's basically nothing to replicate as joe says below. User/group/role changes for us was more of a few times a day operation rather than getting a token which is thousands of times per second.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170225/31b1c3eb/attachment.html>

More information about the OpenStack-dev mailing list