Merge "Add hint for order of keys during distribution"

2019-03-12 21:35:12 +00:00 · 2019-03-12 21:35:12 +00:00 · 2c7bb275f9
commit 2c7bb275f9
parent f0c2e798f7 261eeaa19b
2 changed files with 10 additions and 2 deletions
--- a/doc/source/admin/fernet-token-faq.rst
+++ b/doc/source/admin/fernet-token-faq.rst
@ -87,8 +87,8 @@ The :command:`keystone-manage` command line utility includes a key rotation
 mechanism. This mechanism will initialize and rotate keys but does not make
 an effort to distribute keys across keystone nodes. The distribution of keys
 across a keystone deployment is best handled through configuration management
-tooling. Use :command:`keystone-manage fernet_rotate` to rotate the key
-repository.
+tooling, however ensure that the new primary key is distributed first.
+Use :command:`keystone-manage fernet_rotate` to rotate the key repository.

 Do fernet tokens still expire?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/releasenotes/notes/bug-1816927-e17f4e596e611380.yaml
+++ b/releasenotes/notes/bug-1816927-e17f4e596e611380.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1816927 <https://bugs.launchpad.net/keystone/+bug/1816927>`_]
+    It was discovered that the order in which fernet keys are distributed
+    after fernet key rotation has impact on keystone service.
+    All operators are advised to ensure that during fernet key distribution
+    the new primary fernet key (with largest number) is distributed first.