fernet token support loadblance or ha
We all know that fernet token keys are stored in a directory and keystone load keys from the directory.
If we use loadbalance model, each node has a single keystone. The keys of multiple nodes need to be consistent which will lead to authentication failure if not.How we keep consistency when rotating the fernet keys?
If we use HA model, keystone in master is active while that in slave is inactive. How we keep consistency when Master and slave switching?
In my view, the point is how we synchronize the fernet key directory. Use NFS to share the directory?
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- zhengliuyang
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Lance Bragstad
Related branches
Related bugs
Sprints
Whiteboard
(lbragstad) 19-02-13: We have a guide in keystone's documentation that is dedicated to answering these questions [0]. If you feel there are still inadequacies in the key rotation approach, please don't hesitate to open a specification against the openstack/
[0] https:/