OpenStack Identity (keystone)

  1. Bug #1895723
  2. Comment #30

Comment 30 for bug 1895723

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/759560
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=8e56a1a7975d7030241cfb8476ae54c9550498a0
Submitter: Zuul
Branch: stable/ussuri

commit 8e56a1a7975d7030241cfb8476ae54c9550498a0
Author: Mark Goddard <email address hidden>
Date: Thu Oct 22 09:18:32 2020 +0100

    Fix keystone-startup.sh - remove Fernet key age check

    Currently we check the age of the primary Fernet key on Keystone
    startup, and fail if it is older than the rotation interval. While this
    may seem sensible, there are various reasons why the key may be older
    than this:

    * if the rotation interval is not a factor of the number of seconds in a
      week, the rotation schedule will be lumpy, with the last rotation
      being up to twice the nominal rotation interval
    * if a keystone host is unavailable at its scheduled rotation time,
      rotation will not happen. This may happen multiple times

    We could do several things to avoid this issue:

    1. remove the check on the age of the key
    2. multiply the rotation interval by some factor to determine the
       allowed key age

    This change goes for the more simple option 1. It also cleans up some
    terminology in the keystone-startup.sh script.

    Closes-Bug: #1895723

    Change-Id: I2c35f59ae9449cb1646e402e0a9f28ad61f918a8
    (cherry picked from commit ba8c27f554682e1f2720fad1bff5cfa1b35017f2)