Use fernet tokens with keystone

Registered by Sam Yaple on 2015-08-29

Fernet tokens have a large advantage over UUID in terms of token generation. They are virtually instantly generated. Validation is the same speed, if not just a bit slower. However, this prevents needing to store tokens in the database (and clean tokens out of the database) resulting in a huge net gain for performance in a lot of ways.

I recommend we use it as the default token driver for Mitaka

Blueprint information

Steven Dake
Sam Yaple
Shaun Smekel
Series goal:
Accepted for newton
Milestone target:
milestone icon newton-3
Started by
Steven Dake on 2016-03-13
Completed by
Swapnil Kulkarni on 2016-09-01

Related branches



seems a little late to change all token generation in kolla to something that isn't really proven tech in a RC. --sdake

Agreed, I don't remember exactly what I was thinking, but I am almost positive I meant the default token driver for Mitaka, not Liberty. I just wanted it included in Liberty. Either way that is what it says now. --SamYaple

It would be great if we can jam this into Mitaka - although I know everyone is overloaded and the request is coming late. --sdake

This blueprint is far from complete given the TODO items in the work items, so bouncing to newton 1. --sdake

moving to newton-3 expected to be released on 2016-09-02. Please try to finish it before that otherwise it will be moved to Octata. - coolsvap

Gerrit topic:,topic:bp/keystone-fernet-token,n,z

Addressed by:
    Fernet Key Implementation [WIP]

Addressed by:
    Add full support for fernet [WIP]

Addressed by:
    Add dockerfiles for keystone fernet

Addressed by:
    Urgent: Fixes build failures


Work Items

Work items:
Provide config options for all services in an {{if}} based on what the token driver is: TODO
Provide playbook for rotating the keys around. NOTE(SamYaple): The ceph should help here alot: TODO

This blueprint contains Public information 
Everyone can see this information.