keystone/releasenotes/notes/bug-1561054-dbe88b552a936a0...

24 lines
1.3 KiB
YAML

---
prelude: >
- The default token provider is now Fernet.
upgrade:
- >
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
The default token provider has switched from UUID to Fernet. Please note
Fernet requires a key repository to be in place prior to running Ocata,
this can be done by running ``keystone-manage fernet_setup``.
Additionally, for multi-node deployments, it is imperative a key
distribution process be in use before upgrading. Once a key repository has
been created it should be distributed to all keystone nodes in the deployment.
This ensures each keystone node will be able to validate tokens issued
across the deployment. If you do not wish to switch token formats, you will
need to explicitly set the token provider for each node in the deployment
by setting ``[token] provider`` to ``uuid`` in ``keystone.conf``.
Documentation can be found at `fernet-tokens <https://docs.openstack.org/developer/keystone/configuration.html#encryption-keys-for-fernet-tokens>`_.
critical:
- >
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
If upgrading to Fernet tokens, you must have a key repository and key distribution
mechanism in place, otherwise token validation may not work. Please see the
upgrade section for more details.