[Openstack] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env
zhang.lei.fly at gmail.com
Mon Mar 6 05:52:01 UTC 2017
fix subject typo
On Mon, Mar 6, 2017 at 12:28 PM, Jeffrey Zhang <zhang.lei.fly at gmail.com>
> Kolla have support keystone fernet keys. But there are still some
> topics worth to talk.
> The key issue is key distribution. Kolla's solution is like
> * there is a task run frequently by cronjob to check whether
> the key should be rotate. This is controlled by
> `fernet_token_expiry` variable
> * When key rotate is required, the task in cron job will generate a
> new key by using `keystone-manage fernet-rotate` and distribute all
> keys in /etc/keystone/fernet-keys folder to other by using
> `rsync --delete`
> one issue is: there is no global lock in rotate and distribute steps.
> above command is ran on all controllers. it may cause issues if
> all controllers run this at the same time.
> Since we are using Ansible as deployment tools. there is not daemon
> agent at all to keep rotate and distribution atomic. Is there any
> easier way to implement a global lock?
> possible solution:
> 1. configure cron job with different time on each controller
> 2. implement a global lock? ( no idea how )
>  https://docs.openstack.org/admin-guide/identity-fernet-token-faq.html
> Jeffrey Zhang
> Blog: http://xcodest.me
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openstack