openstack/openstack-helm
Code Issues Proposed changes

Update fernet keys rotation and expiration

Browse Source 
Keystone token expiration, rotation frequency and active keys
values should follow the formula:

max_active_keys = (token_expiration / rotation_frequency) + 2

max_active_keys by default is 3
token expiration set to 43200 (12h)
rotation frequency set to 12 hours

Change-Id: Ia04daec9b2905ef2d3f2d4fbb43557dda220dc70
Signed-off-by: Ruslan Khanbikov <rk760n@att.com>
This commit is contained in:
Ruslan Khanbikov 2018-06-27 12:50:00 -07:00 committed by Ruslan Khanbikov
parent 25e50a34c6
commit c3b2c944f8
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
keystone/values.yaml
View File

@ -314,8 +314,11 @@ jobs:
user: keystone user: keystone
group: keystone group: keystone
fernet_rotate: fernet_rotate:
# weekly # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
cron: "0 0 * * 0" # max_active_keys = (token_expiration / rotation_frequency) + 2
# as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
# 12 hours
cron: "0 */12 * * *"
user: keystone user: keystone
group: keystone group: keystone
history: history:
@ -341,6 +344,8 @@ conf:
max_token_size: 255 max_token_size: 255
token: token:
provider: fernet provider: fernet
# 12 hours
expiration: 43200
identity: identity:
domain_specific_drivers_enabled: True domain_specific_drivers_enabled: True
domain_config_dir: /etc/keystonedomains domain_config_dir: /etc/keystonedomains