Add hint for order of keys during distribution

If the new primary key is not the first to be distributed after fernet
key rotation, there may be a small time window during the key
distribution when tokens issued by the node where fernet rotation was
performed can not be validated on the node where keys are being
distributed to.

Change-Id: I34b5cadd12815ee95c71d8c163504390a9e5e343
Closes-Bug: #1816927
This commit is contained in:
Pavlo Shchelokovskyy 2019-02-21 13:06:10 +02:00 committed by Pavlo Shchelokovskyy
parent 1d0c87cbb2
commit 261eeaa19b
2 changed files with 10 additions and 2 deletions

View File

@ -87,8 +87,8 @@ The :command:`keystone-manage` command line utility includes a key rotation
mechanism. This mechanism will initialize and rotate keys but does not make mechanism. This mechanism will initialize and rotate keys but does not make
an effort to distribute keys across keystone nodes. The distribution of keys an effort to distribute keys across keystone nodes. The distribution of keys
across a keystone deployment is best handled through configuration management across a keystone deployment is best handled through configuration management
tooling. Use :command:`keystone-manage fernet_rotate` to rotate the key tooling, however ensure that the new primary key is distributed first.
repository. Use :command:`keystone-manage fernet_rotate` to rotate the key repository.
Do fernet tokens still expire? Do fernet tokens still expire?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1816927 <https://bugs.launchpad.net/keystone/+bug/1816927>`_]
It was discovered that the order in which fernet keys are distributed
after fernet key rotation has impact on keystone service.
All operators are advised to ensure that during fernet key distribution
the new primary fernet key (with largest number) is distributed first.