Default keystone token backend in KILO is not HA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
High
|
Kevin Carter | ||
Kilo |
Fix Released
|
High
|
Kevin Carter | ||
Trunk |
Fix Released
|
High
|
Kevin Carter |
Bug Description
In the kilo release, the default token backend for keystone uses memcached, pointing to a list of memcaches that run in each keystone container.
Given that keystone needs the same set of servers on all its instances, as to make all tokens available to all instances, whilst tokens are only kept on 1 specific memcache instance (based on a hash algorythm) this implies that all memcache instances need to be available at all time.
Memcache does not federate its data, so the loss of an instance means the loss of a token, which yields authenitcation errors both in frontend and backend applications.
This setup is not HA, and should definitely not be the default one proposed. Currently the best quick alternative is to use mysql as a token backend - which was the default in Juno. (set keystone_
The better solution is to have the fernet token backend, which is an upcoming feature to be implemented in OSAD, and will probably be backported to Kilo.
This issue was discussed with the OSAD team. Depending on how fast this updates lands in Kilo, one should however consider the best option to solve this in the current kilo release ASAP.
Changed in openstack-ansible: | |
importance: | Undecided → Critical |
importance: | Critical → High |
status: | New → Confirmed |
milestone: | 11.0.3 → 11.0.4 |
Changed in openstack-ansible: | |
assignee: | nobody → Kevin Carter (kevin-carter) |
Changed in openstack-ansible: | |
status: | Confirmed → In Progress |
Changed in openstack-ansible: | |
milestone: | 11.0.4 → 11.1.0 |
Changed in openstack-ansible: | |
status: | In Progress → Fix Committed |
in tomorrows meeting, Juno 25, 2015, well be talking about the use of fernet as the default in the Kilo branch for the 11.x.y series. Should fernet not be ratified, we'll look at going back to sql backed token storage which is HA capable at the detriment of performance. If you have time we'd love for your input into the meeting on this topic [ https:/ /wiki.openstack .org/wiki/ Meetings/ openstack- ansible ].