OpenStack Identity (keystone)

  1. Bug #1895723
  2. Comment #31

Comment 31 for bug 1895723

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/759561
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=5ede5d9db30e8aa1748b9a6e71bb452aa16833a8
Submitter: Zuul
Branch: stable/train

commit 5ede5d9db30e8aa1748b9a6e71bb452aa16833a8
Author: Mark Goddard <email address hidden>
Date: Thu Oct 22 09:18:32 2020 +0100

    Fix keystone-startup.sh - remove Fernet key age check

    Currently we check the age of the primary Fernet key on Keystone
    startup, and fail if it is older than the rotation interval. While this
    may seem sensible, there are various reasons why the key may be older
    than this:

    * if the rotation interval is not a factor of the number of seconds in a
      week, the rotation schedule will be lumpy, with the last rotation
      being up to twice the nominal rotation interval
    * if a keystone host is unavailable at its scheduled rotation time,
      rotation will not happen. This may happen multiple times

    We could do several things to avoid this issue:

    1. remove the check on the age of the key
    2. multiply the rotation interval by some factor to determine the
       allowed key age

    This change goes for the more simple option 1. It also cleans up some
    terminology in the keystone-startup.sh script.

    Closes-Bug: #1895723

    Change-Id: I2c35f59ae9449cb1646e402e0a9f28ad61f918a8
    (cherry picked from commit ba8c27f554682e1f2720fad1bff5cfa1b35017f2)