Add hint for order of keys during distribution
If the new primary key is not the first to be distributed after fernet key rotation, there may be a small time window during the key distribution when tokens issued by the node where fernet rotation was performed can not be validated on the node where keys are being distributed to. Change-Id: I34b5cadd12815ee95c71d8c163504390a9e5e343 Closes-Bug: #1816927
This commit is contained in:
parent
1d0c87cbb2
commit
261eeaa19b
@ -87,8 +87,8 @@ The :command:`keystone-manage` command line utility includes a key rotation
|
|||||||
mechanism. This mechanism will initialize and rotate keys but does not make
|
mechanism. This mechanism will initialize and rotate keys but does not make
|
||||||
an effort to distribute keys across keystone nodes. The distribution of keys
|
an effort to distribute keys across keystone nodes. The distribution of keys
|
||||||
across a keystone deployment is best handled through configuration management
|
across a keystone deployment is best handled through configuration management
|
||||||
tooling. Use :command:`keystone-manage fernet_rotate` to rotate the key
|
tooling, however ensure that the new primary key is distributed first.
|
||||||
repository.
|
Use :command:`keystone-manage fernet_rotate` to rotate the key repository.
|
||||||
|
|
||||||
Do fernet tokens still expire?
|
Do fernet tokens still expire?
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
8
releasenotes/notes/bug-1816927-e17f4e596e611380.yaml
Normal file
8
releasenotes/notes/bug-1816927-e17f4e596e611380.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1816927 <https://bugs.launchpad.net/keystone/+bug/1816927>`_]
|
||||||
|
It was discovered that the order in which fernet keys are distributed
|
||||||
|
after fernet key rotation has impact on keystone service.
|
||||||
|
All operators are advised to ensure that during fernet key distribution
|
||||||
|
the new primary fernet key (with largest number) is distributed first.
|
Loading…
Reference in New Issue
Block a user