Fix Fernet key rotation
Previously, depending on the size of CONF.fernet_tokens.max_active_keys, keys
would be pruned depending on if excess_keys was a negative slice. This caused
the key repository to never actually reach CONF.fernet_tokens.max_active_keys
in the repository in some cases.
Change-Id: Icf47d6612ef0e98e876334f56c993666df081b50
Closes-Bug: 1465444
(cherry picked from commit 46f56119a0
)
This commit is contained in:
parent
1608f7253b
commit
7498154ad8
|
@ -208,11 +208,13 @@ def rotate_keys(keystone_user_id=None, keystone_group_id=None):
|
|||
|
||||
# purge excess keys
|
||||
keys = sorted(key_files.keys())
|
||||
excess_keys = (
|
||||
keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1])
|
||||
LOG.info(_LI('Excess keys to purge: %s'), excess_keys)
|
||||
for i in excess_keys:
|
||||
os.remove(key_files[i])
|
||||
number_of_keys_to_purge = max(
|
||||
0, len(key_files) - CONF.fernet_tokens.max_active_keys + 1)
|
||||
if number_of_keys_to_purge > 0:
|
||||
excess_keys = keys[:number_of_keys_to_purge]
|
||||
LOG.info(_LI('Excess keys to purge: %s'), excess_keys)
|
||||
for i in excess_keys:
|
||||
os.remove(key_files[i])
|
||||
|
||||
|
||||
def load_keys():
|
||||
|
|
Loading…
Reference in New Issue