x/packstack
Code Issues Proposed changes

Replace keystone db flush cron job with a Fernet key rotation job

Browse Source 
Previously, we had a cron job to flush removed keystone tokens. Since
[1] this is not required anymore, but we need to add a cron job to
rotate Fernet keys.

[1] - https://review.openstack.org/544547

Change-Id: I331788ea08322a6f982c87eb195a619bab1c4d2e
This commit is contained in:
Javier Pena 2018-03-20 15:33:49 +01:00 committed by Alfredo Moralejo
parent 73e0b07200
commit 1b7a931fd1
4 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/packstack.rst
View File

@ -308,8 +308,8 @@ Keystone Config parameters
**CONFIG_KEYSTONE_DB_PW** **CONFIG_KEYSTONE_DB_PW**
Password to use for the Identity service (keystone) to access the database. Password to use for the Identity service (keystone) to access the database.
**CONFIG_KEYSTONE_DB_PURGE_ENABLE** **CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE**
Enter y if cron job for removing soft deleted DB rows should be created. Enter y if cron job to rotate Fernet tokens should be created.
**CONFIG_KEYSTONE_REGION** **CONFIG_KEYSTONE_REGION**
Default region name to use when creating tenants in the Identity service. Default region name to use when creating tenants in the Identity service.

8
packstack/plugins/keystone_100.py
View File

@ -47,10 +47,10 @@ def initConfig(controller):
"NEED_CONFIRM": True, "NEED_CONFIRM": True,
"CONDITION": False}, "CONDITION": False},
{"CMD_OPTION": 'keystone-db-purge-enable', {"CMD_OPTION": 'keystone-fernet-token-rotate-enable',
"PROMPT": ( "PROMPT": (
"Enter y if cron job for removing soft deleted DB rows " "Enter y if cron job to rotate Fernet tokens should be "
"should be created" "created"
), ),
"OPTION_LIST": ['y', 'n'], "OPTION_LIST": ['y', 'n'],
"VALIDATORS": [validators.validate_not_empty], "VALIDATORS": [validators.validate_not_empty],
@ -58,7 +58,7 @@ def initConfig(controller):
"DEFAULT_VALUE": 'y', "DEFAULT_VALUE": 'y',
"MASK_INPUT": False, "MASK_INPUT": False,
"LOOSE_VALIDATION": False, "LOOSE_VALIDATION": False,
"CONF_NAME": 'CONFIG_KEYSTONE_DB_PURGE_ENABLE', "CONF_NAME": 'CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',
"USE_DEFAULT": False, "USE_DEFAULT": False,
"NEED_CONFIRM": True, "NEED_CONFIRM": True,
"CONDITION": False}, "CONDITION": False},

6
packstack/puppet/modules/packstack/manifests/keystone.pp
View File

@ -17,11 +17,9 @@ class packstack::keystone ()
class { '::keystone::client': } class { '::keystone::client': }
if hiera('CONFIG_KEYSTONE_DB_PURGE_ENABLE',false) { if hiera('CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',false) {
class { '::keystone::cron::token_flush': class { '::keystone::cron::fernet_rotate':
minute => '*/1',
require => Service['crond'], require => Service['crond'],
destination => '/dev/null',
} }
service { 'crond': service { 'crond':
ensure => 'running', ensure => 'running',

12
releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml Normal file
View File

@ -0,0 +1,12 @@
---
upgrade:
- |
A new CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE option has been added to
the answer file. When enabled (default), it will create a cron job to
rotate Fernet keys.
deprecations:
- |
Since Keystone has deprecated token formats requiring storage in the DB,
the CONFIG_KEYSTONE_DB_PURGE_ENABLE option has been removed. Instead, we
are implementing a cron job to rotate Fernet keys.