OpenStack Identity (keystone)

fernet token support loadblance or ha

Registered by zhengliuyang

We all know that fernet token keys are stored in a directory and keystone load keys from the directory.
If we use loadbalance model, each node has a single keystone. The keys of multiple nodes need to be consistent which will lead to authentication failure if not.How we keep consistency when rotating the fernet keys?
If we use HA model, keystone in master is active while that in slave is inactive. How we keep consistency when Master and slave switching?
In my view, the point is how we synchronize the fernet key directory. Use NFS to share the directory?

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
zhengliuyang
Direction:
Needs approval
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Lance Bragstad

Related branches

Sprints

Whiteboard

(lbragstad) 19-02-13: We have a guide in keystone's documentation that is dedicated to answering these questions [0]. If you feel there are still inadequacies in the key rotation approach, please don't hesitate to open a specification against the openstack/keystone-specs repository.

[0] https://docs.openstack.org/keystone/latest/admin/fernet-token-faq.html

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.