From 261eeaa19bb4c9e9ea89fac28e473fa44c4a55de Mon Sep 17 00:00:00 2001 From: Pavlo Shchelokovskyy Date: Thu, 21 Feb 2019 13:06:10 +0200 Subject: [PATCH] Add hint for order of keys during distribution If the new primary key is not the first to be distributed after fernet key rotation, there may be a small time window during the key distribution when tokens issued by the node where fernet rotation was performed can not be validated on the node where keys are being distributed to. Change-Id: I34b5cadd12815ee95c71d8c163504390a9e5e343 Closes-Bug: #1816927 --- doc/source/admin/fernet-token-faq.rst | 4 ++-- releasenotes/notes/bug-1816927-e17f4e596e611380.yaml | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/bug-1816927-e17f4e596e611380.yaml diff --git a/doc/source/admin/fernet-token-faq.rst b/doc/source/admin/fernet-token-faq.rst index df175fce0b..c49d6e2602 100644 --- a/doc/source/admin/fernet-token-faq.rst +++ b/doc/source/admin/fernet-token-faq.rst @@ -87,8 +87,8 @@ The :command:`keystone-manage` command line utility includes a key rotation mechanism. This mechanism will initialize and rotate keys but does not make an effort to distribute keys across keystone nodes. The distribution of keys across a keystone deployment is best handled through configuration management -tooling. Use :command:`keystone-manage fernet_rotate` to rotate the key -repository. +tooling, however ensure that the new primary key is distributed first. +Use :command:`keystone-manage fernet_rotate` to rotate the key repository. Do fernet tokens still expire? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/releasenotes/notes/bug-1816927-e17f4e596e611380.yaml b/releasenotes/notes/bug-1816927-e17f4e596e611380.yaml new file mode 100644 index 0000000000..5fc56d1dc1 --- /dev/null +++ b/releasenotes/notes/bug-1816927-e17f4e596e611380.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [`bug 1816927 `_] + It was discovered that the order in which fernet keys are distributed + after fernet key rotation has impact on keystone service. + All operators are advised to ensure that during fernet key distribution + the new primary fernet key (with largest number) is distributed first.