OpenStack-Ansible

Add tasks for Keystone deployment using Fernet tokens

Bug #1463569 reported by Ian Cordasco on 2015-06-09

This bug affects 1 person

	Status	Importance	Assigned to
OpenStack-Ansible	Fix Released	Medium	Ian Cordasco
Kilo	Fix Released	Medium	Ian Cordasco
Trunk	Fix Released	Medium	Ian Cordasco

Bug Description

In order for os-ansible-deployment to be able to deploy a Keystone that uses Fernet tokens, a few things need to be added as tasks:

1. All keystone nodes: $ mkdir /etc/keystone/fernet-keys/
2. On any one keystone node: $ keystone-manage fernet_setup
3. From that one node, replicate contents of /etc/keystone/fernet-keys/ to all other keystone nodes

Tags:

Ian Cordasco (icordasc) on 2015-06-09

Changed in openstack-ansible:
assignee:	nobody → Ian Cordasco (icordasc)
milestone:	none → next
importance:	Undecided → Medium

Kevin Carter (kevin-carter) on 2015-06-09

Changed in openstack-ansible:
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/189998

Changed in openstack-ansible:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-22: Fix proposed to os-ansible-deployment (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/194194

OpenStack Infra (hudson-openstack) on 2015-06-22

Changed in openstack-ansible:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-23: Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/194194
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=39a0f8d53bcb78a432064290ac9dcfe0bd31252d
Submitter: Jenkins
Branch: kilo

commit 39a0f8d53bcb78a432064290ac9dcfe0bd31252d
Author: Ian Cordasco <email address hidden>
Date: Tue Jun 9 21:16:08 2015 -0500

Add support for deploying Keystone with Fernet

This change adds a number of new tasks that are dependent on the value
of the Keystone token provider (keystone_token_provider) user variable.

    If the keystone_token_provider user_variable is set to
    keystone.token.providers.fernet.Provider then the playbooks will
    appropriately create the fernet keys and distribute them to the rest of
    the keystone containers.

This also implements key rotation for generated fernet keys similar to
how the os_nova roles implement key rotation.

    Finally, we also need to build cryptography from master for now.
    Currently, 0.8.x and 0.9.x use versions of cffi<1.0 which causes a bug
    when used with mod_wsgi and Apache. This is fixed in cryptography master
    and will be released in 1.0.

    Closes-bug: 1463569
    Change-Id: I8605e0490a8889d57c6b1b7e03e078fb0da978ab
    (cherry picked from commit 9ad608a53585d3cbddb2e834188059dae7d01979)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-24: Related fix proposed to os-ansible-deployment (kilo)

Related fix proposed to branch: kilo
Review: https://review.openstack.org/195226

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-29:

Related fix proposed to branch: kilo
Review: https://review.openstack.org/196499

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-07: Related fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/195226
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=eccf606d96133e18ba3e3621eb50b726dd10baed
Submitter: Jenkins
Branch: kilo

commit eccf606d96133e18ba3e3621eb50b726dd10baed
Author: kevin <email address hidden>
Date: Fri Jun 19 16:24:06 2015 -0500

Updated keystone to use fernet as the default

This change simply enables fernet to be the default token backend
and disables the keystone memcached configuration for token storage.

Change-Id: I1037a7fce567e476f07a5d3c220379d656248160
Related-Bug: #1463569

tags:

added: in-kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-09:

Reviewed: https://review.openstack.org/196499
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=fafcafa4dfff613fd7e591da9bf68aabbbf2553e
Submitter: Jenkins
Branch: kilo

commit fafcafa4dfff613fd7e591da9bf68aabbbf2553e
Author: kevin <email address hidden>
Date: Thu Jun 25 21:15:11 2015 -0500

Updated default fernet key usage

    This change makes the use of fernet tokens production ready. The changes are
    as follows:
      * Ensures that the keys are rotated on every playbook execution
      * Removes the need to sync keys back to a deployment host when distributing
        them to other keystone hosts.
      * Creates an autonomous key rotation process that can rotate on the following
        intervals [reboot, yearly, annually, monthly, weekly, daily, hourly] to all
        hosts from any keystone fernet host.
      * Fixes the section in `keystone.conf` which was named "fernet_key" instead
        of "fernet_token".

    Change-Id: I50f6a852930728631f5c681a8aa0f1321d7424ac
    Related-Bug: #1463569
    Closes-Bug: #1468256
    (cherry picked from commit df3edca7a6def8869479feb98ea815f0bc7d30a4)