Hello,
As you know, keystone introduced non-persistent tokens in kilo -- Fernet
tokens. These tokens use Fernet keys, that are rotated from time to time. A
great description of key rotation and replication can be found on [0] and [1]
(thanks, lbragstad). In HA setup there are multiple nodes
On Fri, Mar 27, 2015 at 11:48:29AM -0400, David Stanek wrote:
On Fri, Mar 27, 2015 at 10:14 AM, Boris Bobrov bbob...@mirantis.com wrote:
As you know, keystone introduced non-persistent tokens in kilo -- Fernet
tokens. These tokens use Fernet keys, that are rotated from time to time. A
On Fri, Mar 27, 2015 at 10:14 AM, Boris Bobrov bbob...@mirantis.com wrote:
As you know, keystone introduced non-persistent tokens in kilo -- Fernet
tokens. These tokens use Fernet keys, that are rotated from time to time. A
great description of key rotation and replication can be found on [0]
On Friday 27 March 2015 17:14:28 Boris Bobrov wrote:
Hello,
As you know, keystone introduced non-persistent tokens in kilo -- Fernet
tokens. These tokens use Fernet keys, that are rotated from time to time. A
great description of key rotation and replication can be found on [0] and
[1]
Matt,
The idea is you have a staging key (next key) and you generate that, and sync
it out. Once it is synced out you can rotate to it as needed. All keys on the
server are valid for token validation. Only the active key is used for a
given keystone to issue a token.
Lance has some ansible
Do the keys all need to be changed at once in a cluster? If so that makes
it difficult for puppet at least how we do puppet deployments.
Also, David can you share your ansible script for this?
On Fri, Mar 27, 2015 at 9:48 AM, David Stanek dsta...@dstanek.com wrote:
On Fri, Mar 27, 2015 at