Browse Source

[queens-only] Increase auth_ttl for ec2token expiry

The recently added default of 15 mins for CVE-2020-12692 in keystone
 may not work with undercloud where deployments can run for long
time. Let's keep it large enough to avoid it's expiration during
a overcloud deployment before the stack action times out.

Change-Id: I217192b8563e615dffc590f9d548883e0f1b38de
Related-Bug: #1872737
changes/67/733467/2
Michele Baldessari 1 month ago
parent
commit
2323fd3b7e
1 changed files with 4 additions and 0 deletions
  1. +4
    -0
      elements/puppet-stack-config/puppet-stack-config.yaml.template

+ 4
- 0
elements/puppet-stack-config/puppet-stack-config.yaml.template View File

@@ -239,6 +239,10 @@ keystone::enable_credential_setup: true
keystone::fernet_max_active_keys: 2
keystone::cache_memcache_servers: "%{hiera('memcached::listen_ip')}:11211"
keystone::cache_backend: "dogpile.cache.memcached"
# CVE-2020-12692 set the default of 15 mins for ttl in keystone, we need that to be a lot higher
keystone::config::keystone_config:
credential/auth_ttl:
value: 240

# MySQL
admin_password: {{UNDERCLOUD_ADMIN_PASSWORD}}


Loading…
Cancel
Save