From 1b7a931fd1421e97fbe0c36c882809a815828665 Mon Sep 17 00:00:00 2001 From: Javier Pena Date: Tue, 20 Mar 2018 15:33:49 +0100 Subject: [PATCH] Replace keystone db flush cron job with a Fernet key rotation job Previously, we had a cron job to flush removed keystone tokens. Since [1] this is not required anymore, but we need to add a cron job to rotate Fernet keys. [1] - https://review.openstack.org/544547 Change-Id: I331788ea08322a6f982c87eb195a619bab1c4d2e --- docs/packstack.rst | 4 ++-- packstack/plugins/keystone_100.py | 8 ++++---- .../puppet/modules/packstack/manifests/keystone.pp | 6 ++---- ...on-job-with-fernet-rotation-5b1fccf2bc6add91.yaml | 12 ++++++++++++ 4 files changed, 20 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml diff --git a/docs/packstack.rst b/docs/packstack.rst index 08fbea276..f7d9f2277 100755 --- a/docs/packstack.rst +++ b/docs/packstack.rst @@ -308,8 +308,8 @@ Keystone Config parameters **CONFIG_KEYSTONE_DB_PW** Password to use for the Identity service (keystone) to access the database. -**CONFIG_KEYSTONE_DB_PURGE_ENABLE** - Enter y if cron job for removing soft deleted DB rows should be created. +**CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE** + Enter y if cron job to rotate Fernet tokens should be created. **CONFIG_KEYSTONE_REGION** Default region name to use when creating tenants in the Identity service. diff --git a/packstack/plugins/keystone_100.py b/packstack/plugins/keystone_100.py index 76c7fd609..2f5cf86eb 100644 --- a/packstack/plugins/keystone_100.py +++ b/packstack/plugins/keystone_100.py @@ -47,10 +47,10 @@ def initConfig(controller): "NEED_CONFIRM": True, "CONDITION": False}, - {"CMD_OPTION": 'keystone-db-purge-enable', + {"CMD_OPTION": 'keystone-fernet-token-rotate-enable', "PROMPT": ( - "Enter y if cron job for removing soft deleted DB rows " - "should be created" + "Enter y if cron job to rotate Fernet tokens should be " + "created" ), "OPTION_LIST": ['y', 'n'], "VALIDATORS": [validators.validate_not_empty], @@ -58,7 +58,7 @@ def initConfig(controller): "DEFAULT_VALUE": 'y', "MASK_INPUT": False, "LOOSE_VALIDATION": False, - "CONF_NAME": 'CONFIG_KEYSTONE_DB_PURGE_ENABLE', + "CONF_NAME": 'CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE', "USE_DEFAULT": False, "NEED_CONFIRM": True, "CONDITION": False}, diff --git a/packstack/puppet/modules/packstack/manifests/keystone.pp b/packstack/puppet/modules/packstack/manifests/keystone.pp index 2c561281c..2bb36d3a4 100644 --- a/packstack/puppet/modules/packstack/manifests/keystone.pp +++ b/packstack/puppet/modules/packstack/manifests/keystone.pp @@ -17,11 +17,9 @@ class packstack::keystone () class { '::keystone::client': } - if hiera('CONFIG_KEYSTONE_DB_PURGE_ENABLE',false) { - class { '::keystone::cron::token_flush': - minute => '*/1', + if hiera('CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',false) { + class { '::keystone::cron::fernet_rotate': require => Service['crond'], - destination => '/dev/null', } service { 'crond': ensure => 'running', diff --git a/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml b/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml new file mode 100644 index 000000000..724a3bc58 --- /dev/null +++ b/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + A new CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE option has been added to + the answer file. When enabled (default), it will create a cron job to + rotate Fernet keys. +deprecations: + - | + Since Keystone has deprecated token formats requiring storage in the DB, + the CONFIG_KEYSTONE_DB_PURGE_ENABLE option has been removed. Instead, we + are implementing a cron job to rotate Fernet keys. +