Allow the management of the Fernet Keys
When keystone uses Fernet tokens in a multi node environment, each of the nodes needs to have a copy of the keys used by other nodes. While the upstream suggestion is to run the command on one node and then copy the keys to the others, deployments using a central configuration server do not usually follow workflows like this. Instead the keys are generated off server, and managed in a central data store. This change follows the pattern set for credentials key management. Change-Id: Ibd2a7692c247d0367c5fd331bb88790f882c2c91
This commit is contained in:
parent
4d441726ad
commit
cf5a131cd7
|
@ -432,6 +432,20 @@
|
|||
# (Optional) Number of maximum active Fernet keys. Integer > 0.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*fernet_keys*]
|
||||
# (Optional) Hash of Keystone fernet keys
|
||||
# If you enable this parameter, make sure enable_fernet_setup is set to True.
|
||||
# Example of valid value:
|
||||
# fernet_keys:
|
||||
# /etc/keystone/fernet-keys/0:
|
||||
# content: c_aJfy6At9y-toNS9SF1NQMTSkSzQ-OBYeYulTqKsWU=
|
||||
# /etc/keystone/fernet-keys/1:
|
||||
# content: zx0hNG7CStxFz5KXZRsf7sE4lju0dLYvXdGDIKGcd7k=
|
||||
# Puppet will create a file per key in $fernet_key_repository.
|
||||
# Note: defaults to false so keystone-manage fernet_setup will be executed.
|
||||
# Otherwise Puppet will manage keys with File resource.
|
||||
# Defaults to false
|
||||
#
|
||||
# [*enable_credential_setup*]
|
||||
# (Optional) Setup keystone for credentials.
|
||||
# In a cluster environment where multiple Keystone nodes are running, you might
|
||||
|
@ -713,6 +727,7 @@ class keystone(
|
|||
$enable_fernet_setup = false,
|
||||
$fernet_key_repository = '/etc/keystone/fernet-keys',
|
||||
$fernet_max_active_keys = $::os_service_default,
|
||||
$fernet_keys = false,
|
||||
$enable_credential_setup = false,
|
||||
$credential_key_repository = '/etc/keystone/credential-keys',
|
||||
$credential_keys = false,
|
||||
|
@ -1112,16 +1127,26 @@ class keystone(
|
|||
subscribe => Anchor['keystone::install::end'],
|
||||
})
|
||||
|
||||
exec { 'keystone-manage fernet_setup':
|
||||
command => "keystone-manage fernet_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
|
||||
path => '/usr/bin',
|
||||
user => $keystone_user,
|
||||
refreshonly => true,
|
||||
creates => "${fernet_key_repository}/0",
|
||||
notify => Anchor['keystone::service::begin'],
|
||||
subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
|
||||
require => File[$fernet_key_repository],
|
||||
tag => 'keystone-exec',
|
||||
if $fernet_keys {
|
||||
validate_hash($fernet_keys)
|
||||
create_resources('file', $fernet_keys, {
|
||||
'owner' => $keystone_user,
|
||||
'group' => $keystone_group,
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
}
|
||||
)
|
||||
} else {
|
||||
exec { 'keystone-manage fernet_setup':
|
||||
command => "keystone-manage fernet_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
|
||||
path => '/usr/bin',
|
||||
user => $keystone_user,
|
||||
refreshonly => true,
|
||||
creates => "${fernet_key_repository}/0",
|
||||
notify => Anchor['keystone::service::begin'],
|
||||
subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
|
||||
require => File[$fernet_key_repository],
|
||||
tag => 'keystone-exec',
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
features:
|
||||
- keystone-manage can be used to setup Keystone Fernet Keys. Disabled by default
|
||||
as long as the proper version of keystone is not in UCA.
|
||||
Upstream Keystone is moving to Fernet token support as the default provider.
|
||||
With recent issues witj PKI, Fernet is the only viable token format for
|
||||
multisite.
|
||||
|
||||
Note, if fernet_keys parameter is set to a valid hash, keystone-manage won't
|
||||
be used to generate credential keys but Puppet will manage file resources for each
|
||||
key in the hash. It allows ensures that a the keys are synchronized in a
|
||||
multinode environment.
|
|
@ -1051,6 +1051,36 @@ describe 'keystone' do
|
|||
end
|
||||
end
|
||||
|
||||
describe 'when setting fernet_keys parameter' do
|
||||
let :params do
|
||||
default_params.merge({
|
||||
'enable_fernet_setup' => true,
|
||||
'fernet_keys' => {
|
||||
'/etc/keystone/fernet-keys/0' => {
|
||||
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
|
||||
},
|
||||
'/etc/keystone/fernet-keys/1' => {
|
||||
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
|
||||
},
|
||||
}
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to_not contain_exec('keystone-manage fernet_setup') }
|
||||
it { is_expected.to contain_file('/etc/keystone/fernet-keys/0').with(
|
||||
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
|
||||
'owner' => 'keystone',
|
||||
'owner' => 'keystone',
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
|
||||
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
|
||||
'owner' => 'keystone',
|
||||
'owner' => 'keystone',
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
end
|
||||
|
||||
shared_examples_for "when configuring default domain" do
|
||||
describe 'with default domain and eventlet service is managed and enabled' do
|
||||
let :params do
|
||||
|
|
Loading…
Reference in New Issue