e5add63637
Let's add a release note for switching the default token provider. This will need to merge before we can make any upgrade changes to grenade for the Newton to Ocata upgrade. Change-Id: I7208bf6cb9329d6ca1f49409da44b0537c74aea9
22 lines
1.1 KiB
YAML
22 lines
1.1 KiB
YAML
---
|
|
upgrade:
|
|
- The default token provider has switched from UUID
|
|
to Fernet. Please note that Fernet requires a
|
|
key repository to be in place prior to running Ocata.
|
|
This can be done using ``keystone-manage fernet_setup``.
|
|
Documentation can be found `here <http://docs.openstack.org/developer/keystone/man/keystone-manage.html>`_.
|
|
In addition, for multi-node deployments, it is imperative that
|
|
a key distribution process be in use before upgrading. Once
|
|
a key repository has been created it should be distributed
|
|
to all keystone nodes in the deployment. This ensures that
|
|
each keystone node will be able to validate tokens issued
|
|
across the deployment. If you do not wish to switch token
|
|
formats, you will need to explicitly set UUID as the token
|
|
provider for each node in the deployment using
|
|
``[token] provider = uuid`` in your ``keystone.conf``.
|
|
critical:
|
|
- If upgrading to Fernet tokens, you must have a key
|
|
repository and key distribution mechanism in place.
|
|
Otherwise token validation may not work. Please see
|
|
the upgrade section for more details.
|