[openstack-dev] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env
Jeffrey Zhang
zhang.lei.fly at gmail.com
Tue Mar 7 00:56:17 UTC 2017
On Tue, Mar 7, 2017 at 2:09 AM, Matt Fischer <matt at mattfischer.com> wrote:
> I don't think it would cause an issue if every controller rotated all at
> once. The issues are more along the lines of rotating to key C when there
> are tokens out there that are encrypted with keys A and B. In other words
> over-rotation. As long as your keys are properly staged, do the rotation
> all at once or space them out, should not make any difference.
>
The issue is "at once".
It takes some time to rotate and distribute the keys. There is one case
that.
controller A and controller B generate a new different keys. Then they copy
the key to other by using rsync.
A: 0 1 2 3
B: 0' 1' 2 3
When distributing, the 0/0' and 1/1' may be overrode(rsync hold the delete
file handler and copy it to other one). it will lead to
A: 0' 1' 2 3
B: 0 1 2 3
next rotation, it may become
A: 0' 1' 2' 3
B: 0 1 2 3
after distribute , it become
A: 0 1 2 3
B: 0' 1' 2' 3
Next rotation and distribute, issue happen.
This is a small probability, but it still possible.
--
Regards,
Jeffrey Zhang
Blog: http://xcodest.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170307/14cc3a14/attachment.html>
More information about the OpenStack-dev
mailing list