Mirantis OpenStack

Excessive log entries for Fernet encryption key loading.

Bug #1672883 reported by Matthew Roark
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Low
MOS Maintenance
Mirantis OpenStack 9.x-updates
8.0.x
Fix Released
Low
Max Yatsenko
Mirantis OpenStack 8.0-mu-5
9.x
Fix Released
Low
Max Yatsenko
Mirantis OpenStack 9.2-mu-3

Bug Description

This is related to the upstream bug: https://bugs.launchpad.net/keystone/+bug/1615111

The following is printed in the Keystone logs for every token validation when the Fernet keys need to be rotated: "Loaded 2 encryption keys
(max_active_keys=3) from: /etc/keystone/fernet-keys"

It should be lowered to DEBUG level instead of INFO level to avoid filling up the logs.

Vitaly Sedelnik (vsedelnik)
no longer affects: mos/10.0.x
tags: added: area-keystone
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/keystone (9.0/mitaka)

Fix proposed to branch: 9.0/mitaka
Change author: Max Yatsenko <email address hidden>
Review: https://review.fuel-infra.org/35651

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/keystone (openstack-ci/fuel-8.0/liberty)

Fix proposed to branch: openstack-ci/fuel-8.0/liberty
Change author: Max Yatsenko <email address hidden>
Review: https://review.fuel-infra.org/35654

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/keystone (openstack-ci/fuel-8.0/liberty)

Reviewed: https://review.fuel-infra.org/35654
Submitter: Pkgs Jenkins <email address hidden>
Branch: openstack-ci/fuel-8.0/liberty

Commit: 3f8643b0f36827b1cf9a8bc23f9cda8e33fb1894
Author: Max Yatsenko <email address hidden>
Date: Fri Jun 16 13:15:21 2017

Reduce log level for fernet key count message

  It reduces the log level, alos it update log
message to be more informative.
  The following upstream patches were used to
assemble the patch:
[1] Reduce log level of Fernet key count message
[2] Emit log message for fernet tokens only
[3] Fix formatting strings in LOG.debug

[1] https://review.openstack.org/#/c/359941/
[2] https://review.openstack.org/#/c/364986/
[3] https://review.openstack.org/#/c/361895/

Closes-Bug: 1672883
(cherry picked from commit: 1200c2c86d1213e6f968d5f3d555e6f2b97db701)

Change-Id: Iab7afc7a0371df4517068650222fdd3ffbc70c57

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/keystone (9.0/mitaka)

Reviewed: https://review.fuel-infra.org/35651
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0/mitaka

Commit: 1200c2c86d1213e6f968d5f3d555e6f2b97db701
Author: Max Yatsenko <email address hidden>
Date: Fri Jun 16 10:37:11 2017

Reduce log level for fernet key count message

  It reduces the log level, alos it update log
message to be more informative.
  The following upstream patches were used to
assemble the patch:
[1] Reduce log level of Fernet key count message
[2] Emit log message for fernet tokens only
[3] Fix formatting strings in LOG.debug

[1] https://review.openstack.org/#/c/359941/
[2] https://review.openstack.org/#/c/364986/
[3] https://review.openstack.org/#/c/361895/

Change-Id: Iab7afc7a0371df4517068650222fdd3ffbc70c57
Closes-Bug: 1672883

Revision history for this message
Max Yatsenko (myatsenko) wrote :

The following patches were merged:
- https://review.fuel-infra.org/35651
- https://review.fuel-infra.org/35654

Revision history for this message
Ilya Bumarskov (ibumarskov) wrote :

Verified on Fuel 8.0 MU-5:

Keystone logs:
<15>Jul 18 09:25:04 node-3 admin: 2017-07-18 09:25:04.845 23847 DEBUG keystone.token.providers.fernet.utils [req-8023bce3-933f-4aaf-b96b-9388bcab5687 - - - - -] Loaded 2 Fernet keys from /etc/keystone/fernet-keys, but `[fernet_tokens] max_active_keys = 3`; perhaps there have not been enough key rotations to reach `max_active_keys` yet? load_keys /usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/utils.py:267

Revision history for this message
Dmitry (dtsapikov) wrote :

Verified on 9.2+mu3

Oleksiy Molchanov (omolchanov)
Changed in mos:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.