kolla-ansible

Keystone fernet key rotation schedule may be lumpy

Bug #1900982 reported by Mark Goddard on 2020-10-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Triaged	Medium	Mark Goddard

Bug Description

The default fernet key rotation interval is set to:

fernet_token_expiry + fernet_token_allow_expired_window

By default this is 1 day + 2 days = 3 days.

Due to using cron for scheduling, and scheduling on a weekly basis, this leads to a lumpy schedule, with rotations on day 0 (sunday) and 3 (wednesday). This gives us actual key rotation intervals of 3 and 4 days.

Since the interval will only ever be increased from the nominal, we should not have any issues with tokens becoming invalid, due to the following formula (from https://docs.openstack.org/keystone/latest/admin/fernet-token-faq.html):

max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2

There is a potential minor security issue with keys being under-rotated, but this is probably better than tokens becoming invalid due to over-rotation.

OpenStack Infra (hudson-openstack) on 2020-10-22

Changed in kolla-ansible:
assignee:	nobody → Mark Goddard (mgoddard)
status:	New → In Progress

Mark Goddard (mgoddard) on 2020-10-22

Changed in kolla-ansible:
importance:	Undecided → Medium
status:	In Progress → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.