Merge "Add hint for order of keys during distribution"

This commit is contained in:
Zuul 2019-03-12 21:35:12 +00:00 committed by Gerrit Code Review
commit 2c7bb275f9
2 changed files with 10 additions and 2 deletions

View File

@ -87,8 +87,8 @@ The :command:`keystone-manage` command line utility includes a key rotation
mechanism. This mechanism will initialize and rotate keys but does not make mechanism. This mechanism will initialize and rotate keys but does not make
an effort to distribute keys across keystone nodes. The distribution of keys an effort to distribute keys across keystone nodes. The distribution of keys
across a keystone deployment is best handled through configuration management across a keystone deployment is best handled through configuration management
tooling. Use :command:`keystone-manage fernet_rotate` to rotate the key tooling, however ensure that the new primary key is distributed first.
repository. Use :command:`keystone-manage fernet_rotate` to rotate the key repository.
Do fernet tokens still expire? Do fernet tokens still expire?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1816927 <https://bugs.launchpad.net/keystone/+bug/1816927>`_]
It was discovered that the order in which fernet keys are distributed
after fernet key rotation has impact on keystone service.
All operators are advised to ensure that during fernet key distribution
the new primary fernet key (with largest number) is distributed first.