- With primary fernet key as "1", create an empty key file "2".
- Perform keystone-manage fernet_rotate (which passes)[0]
- Try to authenticate [1]
- Verified "2" is an empty file
[0]
2018-02-21 12:01:57.926 3643 INFO keystone.common.token_utils [-] Starting key rotation with 3 key files: ['/etc/keystone/fernet-keys/0', '/etc/keystone/fernet-keys/1', '/etc/keystone/fernet-keys/2']
2018-02-21 12:01:57.928 3643 INFO keystone.common.token_utils [-] Created a new temporary key: /etc/keystone/fernet-keys/0.tmp
2018-02-21 12:01:57.929 3643 INFO keystone.common.token_utils [-] Current primary key is: 2
2018-02-21 12:01:57.931 3643 INFO keystone.common.token_utils [-] Next primary key will be: 3
2018-02-21 12:01:57.932 3643 INFO keystone.common.token_utils [-] Promoted key 0 to be the primary: 3
2018-02-21 12:01:57.933 3643 INFO keystone.common.token_utils [-] Become a valid new key: /etc/keystone/fernet-keys/0
2018-02-21 12:01:57.934 3643 INFO keystone.common.token_utils [-] Excess key to purge: /etc/keystone/fernet-keys/1
[1]
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/token_formatters.py", line 79, in pack
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi return self.crypto.encrypt(payload).rstrip(b'=').decode('utf-8')
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/token_formatters.py", line 68, in crypto
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi fernet_instances = [fernet.Fernet(key) for key in keys]
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/cryptography/fernet.py", line 37, in __init__
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi "Fernet key must be 32 url-safe base64-encoded bytes."
2018-02-21 12:05:30.198 14496 ERROR keystone.common.wsgi ValueError: Fernet key must be 32 url-safe base64-encoded bytes.
Was able to replicate this I believe:
- With primary fernet key as "1", create an empty key file "2".
- Perform keystone-manage fernet_rotate (which passes)[0]
- Try to authenticate [1]
- Verified "2" is an empty file
[0]
2018-02-21 12:01:57.926 3643 INFO keystone. common. token_utils [-] Starting key rotation with 3 key files: ['/etc/ keystone/ fernet- keys/0' , '/etc/keystone/ fernet- keys/1' , '/etc/keystone/ fernet- keys/2' ] common. token_utils [-] Created a new temporary key: /etc/keystone/ fernet- keys/0. tmp common. token_utils [-] Current primary key is: 2 common. token_utils [-] Next primary key will be: 3 common. token_utils [-] Promoted key 0 to be the primary: 3 common. token_utils [-] Become a valid new key: /etc/keystone/ fernet- keys/0 common. token_utils [-] Excess key to purge: /etc/keystone/ fernet- keys/1
2018-02-21 12:01:57.928 3643 INFO keystone.
2018-02-21 12:01:57.929 3643 INFO keystone.
2018-02-21 12:01:57.931 3643 INFO keystone.
2018-02-21 12:01:57.932 3643 INFO keystone.
2018-02-21 12:01:57.933 3643 INFO keystone.
2018-02-21 12:01:57.934 3643 INFO keystone.
[1]
2018-02-21 12:05:30.198 14496 ERROR keystone. common. wsgi File "/usr/local/ lib/python2. 7/dist- packages/ keystone/ token/token_ formatters. py", line 79, in pack common. wsgi return self.crypto. encrypt( payload) .rstrip( b'=').decode( 'utf-8' ) common. wsgi File "/usr/local/ lib/python2. 7/dist- packages/ keystone/ token/token_ formatters. py", line 68, in crypto common. wsgi fernet_instances = [fernet.Fernet(key) for key in keys] common. wsgi File "/usr/local/ lib/python2. 7/dist- packages/ cryptography/ fernet. py", line 37, in __init__ common. wsgi "Fernet key must be 32 url-safe base64-encoded bytes." common. wsgi ValueError: Fernet key must be 32 url-safe base64-encoded bytes.
2018-02-21 12:05:30.198 14496 ERROR keystone.
2018-02-21 12:05:30.198 14496 ERROR keystone.
2018-02-21 12:05:30.198 14496 ERROR keystone.
2018-02-21 12:05:30.198 14496 ERROR keystone.
2018-02-21 12:05:30.198 14496 ERROR keystone.
2018-02-21 12:05:30.198 14496 ERROR keystone.