On Friday 27 March 2015 17:14:28 Boris Bobrov wrote: > Hello, > > As you know, keystone introduced non-persistent tokens in kilo -- Fernet > tokens. These tokens use Fernet keys, that are rotated from time to time. A > great description of key rotation and replication can be found on [0] and > [1] (thanks, lbragstad). In HA setup there are multiple nodes with > Keystone and that requires key replication. How do we do that with new > Fernet tokens? > > Please keep in mind that the solution should be HA -- there should not be > any "master" server, pushing keys to slave servers, because master server > might go down. > > [...]
[0] and [1] in the mail are: [0]: http://lbragstad.com/?p=133 [1]: http://lbragstad.com/?p=156 After some discussion in #openstack-keystone it seems that token rotation should not be an often procedure and that 15 minutes in the blog post was just an example for the sake of simple math. -- Best regards, Boris Bobrov __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
