Keystone fernet key rotation schedule may be lumpy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Triaged
|
Medium
|
Mark Goddard |
Bug Description
The default fernet key rotation interval is set to:
fernet_token_expiry + fernet_
By default this is 1 day + 2 days = 3 days.
Due to using cron for scheduling, and scheduling on a weekly basis, this leads to a lumpy schedule, with rotations on day 0 (sunday) and 3 (wednesday). This gives us actual key rotation intervals of 3 and 4 days.
Since the interval will only ever be increased from the nominal, we should not have any issues with tokens becoming invalid, due to the following formula (from https:/
max_active_keys = ((token_expiration + allow_expired_
There is a potential minor security issue with keys being under-rotated, but this is probably better than tokens becoming invalid due to over-rotation.
Changed in kolla-ansible: | |
assignee: | nobody → Mark Goddard (mgoddard) |
status: | New → In Progress |
Changed in kolla-ansible: | |
importance: | Undecided → Medium |
status: | In Progress → Triaged |