Fernet rotate doesn't prevent rotation when disk is full

Hi John,

Would you be able to check the contents of the key? It looks like the staged key, or the zero key (0), doesn't contain *anything*. As a result, the MultiFernet object is unable to initialize itself. The error being reported by keystone is actually coming from the fernet library [0].

How many max_active_keys are you using? More than 11? Are there any keys in your key repository that you know are stale and you can remove?

[0] https://github.com/pyca/cryptography/blob/7ff4c8fe2400244a2e6e2a86bc015b2025907b5a/src/cryptography/fernet.py#L35-L38

I'm did a little more digging on this and wanted to document a possible improvement we could make.

During the rotation process, we rename the current staged key to be the next primary [0]. Immediately afterwords, we create a new staged key named `0` [1]. I'm assuming this is the step that writes nothing to the key when the disk is full. One possible improvement we could make would be to validate the key that was written to the file matches a given length. If it does then we assume it was written to disk successfully. If not, then we assume something bad happened on the disk and we do a rollback of the previous primary key promotion (renaming the now primary key back to `0`, making it the staged key, then ensure the key that was the primary becomes the primary again - completing the rollback).

The advantage would be that keystone would fail in the rotation process, but still allow tokens to be issued and validated, instead of allowing the rotation to complete (unsuccessfully) and fail at token creation or validation time because the MutliFernet object can't be initialized. Regardless, there would need to be some sort of operator intervention in order to fix a full disk and do future rotations.

[0] https://github.com/openstack/keystone/blob/613c048b6f4bda91de1c0e9618abd0bda78ccc50/keystone/common/fernet_utils.py#L199-L203
[1] https://github.com/openstack/keystone/blob/613c048b6f4bda91de1c0e9618abd0bda78ccc50/keystone/common/fernet_utils.py#L211

Hi Lance,

How about creating `0.tmp` first, and then check if it pass the validation (key length)? If yes, then start doing the rotation (i.e. rename current staged key to the next primary, and then rename `0.tmp` to `0`). If not, then delete `0.tmp` and leave some error messages.

John, that would be a possibility. If you have any progress locally, feel free to push it for review and we'll see what the rest of the team thinks about the approach.

Thanks!

Fix proposed to branch: master
Review: https://review.openstack.org/413495

Reviewed: https://review.openstack.org/413495
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5b7c9a66f0aed860ea0776d4c5b42710d88fcb5f
Submitter: Jenkins
Branch: master

commit 5b7c9a66f0aed860ea0776d4c5b42710d88fcb5f
Author: johnlinp <email address hidden>
Date: Wed Dec 21 15:17:01 2016 +0800

    Handle disk write failure when doing Fernet key rotation

    _create_new_key() is broke down into 2 parts:

    1. _create_tmp_new_key()
    2. _become_valid_new_key()

    This can avoid empty Fernet keys when the write to the
    staged key fails. The _become_valid_new_key() is called
    only after a successful call to _create_tmp_new_key().

    Change-Id: Iaf33e2b291f13b9eb9464ef345a8664a634121ff
    Closes-Bug: #1642457
    Signed-off-by: John Lin <email address hidden>

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/439400

Proposed a revert for the above fix in https://review.openstack.org/#/c/442513/ as it does not appear to address the buggy behavior of writing empty key files.

I also don't think the impact of this should be Wishlist, as there are no new features being requested. Instead, this is an edge case with Low impact -- or Medium if the effect can cascade through multiple rotation attempts.

Hi Dolph,

I don't understand why you think the fix doesn't solve the problem. I've tested it in the unit test and a real full disk environment. They worked as expected.

Can you explain why you think there can still be empty keys? Thanks!

After poking at the test in the original patch, I've abandoned the revert because I forgot about the behavior in the key loader that skips non-numeric file names (so 0.tmp would be skipped, even if it was empty, thus avoiding the issue).

Since that after multiple rotation attempts will produce multiple empty key files, I suggest that the importance should be "Medium" according to Dolph's previous comment.

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/443158

@John: That's exactly what I was testing this morning :) I'd like to see the fix backported, but want to ensure I understand the impact. To do so, I've been attempting to reproduce the original bug. However, using the test approach in the patch merged to master against stable/newton produces a totally different behavior than the one described in the bug. Specifically, the first rotation returns successfully but fails to rotate anything, and all the keys that appear on disk are fine. Subsequent rotations result in OSErrors that prevent any further rotation, which would be a totally different bug. In between each rotation attempt, I can validate that all key files on disk contain valid keys, each are non-empty, and more importantly, the keys don't appear to change. No empty key files are ever created when flush() raises an IOError. Any suggestions?

See the patchset in #13 for an illustration.

Change abandoned by Tony Breeds (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/443158
Reason: This branch (stable/newton) is at End Of Life

Change abandoned by Tony Breeds (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/439400
Reason: This branch (stable/newton) is at End Of Life