Mention allow_expired_window in fernet FAQ

this value should be taken into account when calculating desired number of fernet keys when validating of expired tokens is needed, for example to make ServiceToken auth to work. Change-Id: Id679cfc20603eacf7b8171a25a650e8c745033db
2019-02-21 13:14:36 +02:00 · 2019-02-21 13:14:36 +02:00 · 9d366a528b
commit 9d366a528b
parent 2c7bb275f9
1 changed files with 13 additions and 1 deletions
--- a/doc/source/admin/fernet-token-faq.rst
+++ b/doc/source/admin/fernet-token-faq.rst
@ -271,7 +271,18 @@ and adding two. Better illustrated as::
    max_active_keys = (token_expiration / rotation_frequency) + 2

 The reason for adding two additional keys to the count is to include the staged
-key and a buffer key. This can be shown based on the previous example. We
+key and a buffer key.
+
+.. note::
+   If validating expired tokens is needed (for example when services are
+   configured to use ServiceToken auth), the value of
+   ``allow_expired_window`` option from the ``[token]`` config section
+   should also be taken into account, so that the formula to calculate the
+   max_active_keys is
+
+   max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+
+This can be shown based on the previous example. We
 initially setup the key repository at 6:00 AM on Monday, and the initial state
 looks like:

@ -363,3 +374,4 @@ If keystone were to receive a token that was created between 6:00 AM and 12:00
 PM the day before, encrypted with the ``1`` key, it would not be valid because
 it was already expired. This makes it possible for us to remove the ``1`` key
 from the repository without negative validation side-effects.
+