[openstack-dev] [keystone] [tripleo] [deployment] Keystone Fernet keys rotations spec

Emilien Macchi emilien at redhat.com
Thu Mar 16 15:12:39 UTC 2017

On Tue, Mar 14, 2017 at 1:27 PM, Emilien Macchi <emilien at redhat.com> wrote:
> Folks,
> I found useful to share a spec that I started to write this morning:
> https://review.openstack.org/445592
> The goal is to do Keystone Fernet keys rotations in a way that scales
> and is secure, by using the standard tools and not re-inventing the
> wheel.
> In other words: if you're working on Keystone or TripleO or any other
> deployment tool: please read the spec and give any feedback.
> We would like to find a solution that would work for all OpenStack
> deployment tools (Kolla, OSA, Fuel, TripleO, Helm, etc) but I sent the
> specs to tripleo project
> to get some feedback.
> If you already has THE solution that you think is the best one, then
> we would be very happy to learn from it in a comment directly in the
> spec.

After 2 days of review from Keystone, TripleO, OSA (and probably some
groups I missed), it's pretty clear the problem is already being fixed
in different places in different ways and that's bad.
IMHO we should engage some work to fix it in Keystone and investigate
again a storage backend for Keystone tokens.

The Keystone specs that started this investigation was removed for Pike:

I see 2 options here:

- we keep duplicating efforts and let deployers implement their own solutions.

- we work with Keystone team to re-enable the spec and move forward to
solve the problem in Keystone itself, therefore for all deployments
tools in OpenStack (my favorite option).

I would like to hear from Keystone folks what are the main blockers
for option #2 and if this is only a human resource issue or if there
is some technical points we need to solve (in that case, it could be
done in the specs).

Emilien Macchi

More information about the OpenStack-dev mailing list