24 lines
1.3 KiB
YAML
24 lines
1.3 KiB
YAML
---
|
|
prelude: >
|
|
- The default token provider is now Fernet.
|
|
upgrade:
|
|
- >
|
|
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
|
|
The default token provider has switched from UUID to Fernet. Please note
|
|
Fernet requires a key repository to be in place prior to running Ocata,
|
|
this can be done by running ``keystone-manage fernet_setup``.
|
|
Additionally, for multi-node deployments, it is imperative a key
|
|
distribution process be in use before upgrading. Once a key repository has
|
|
been created it should be distributed to all keystone nodes in the deployment.
|
|
This ensures each keystone node will be able to validate tokens issued
|
|
across the deployment. If you do not wish to switch token formats, you will
|
|
need to explicitly set the token provider for each node in the deployment
|
|
by setting ``[token] provider`` to ``uuid`` in ``keystone.conf``.
|
|
Documentation can be found at `fernet-tokens <https://docs.openstack.org/developer/keystone/configuration.html#encryption-keys-for-fernet-tokens>`_.
|
|
critical:
|
|
- >
|
|
[`bug 1561054 <https://bugs.launchpad.net/keystone/+bug/1561054>`_]
|
|
If upgrading to Fernet tokens, you must have a key repository and key distribution
|
|
mechanism in place, otherwise token validation may not work. Please see the
|
|
upgrade section for more details.
|