kolla-ansible

Fernet keys are rotated by the keystone deploy playbook every time

  1. Series rocky
  2. Bug #1833729
Bug #1833729 reported by Pierre Riteau
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Mark Goddard
kolla-ansible 9.0.0 "Train"
Queens
Fix Released
High
Pierre Riteau
kolla-ansible 6.2.2 "queens"
Rocky
Fix Released
High
Pierre Riteau
kolla-ansible 7.1.2 "rocky"
Stein
Fix Released
High
Radosław Piliszek
kolla-ansible 8.0.0 "Stein"
Train
Fix Released
High
Mark Goddard
kolla-ansible 9.0.0 "Train"

Bug Description

When running deploy or reconfigure for Keystone, ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml, which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage fernet_rotate.

This means that a token can become invalid if the operator runs deploy or reconfigure too often.

Pierre Riteau (priteau)
summary: - Fernet keys are rotated every time the keystone deploy playbook is run
+ Fernet keys are rotated by the keystone deploy playbook every time
Mark Goddard (mgoddard)
Changed in kolla-ansible:
importance: Undecided → Medium
importance: Medium → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/666882

Changed in kolla-ansible:
assignee: nobody → Mark Goddard (mgoddard)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/666882
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=09e29d0db9b895b97470c9c8a60442b980a3eb3c
Submitter: Zuul
Branch: master

commit 09e29d0db9b895b97470c9c8a60442b980a3eb3c
Author: Mark Goddard <email address hidden>
Date: Fri Jun 21 16:52:18 2019 +0100

    Don't rotate keystone fernet keys during deploy

    When running deploy or reconfigure for Keystone,
    ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml,
    which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage
    fernet_rotate.

    This means that a token can become invalid if the operator runs
    deploy or reconfigure too often.

    This change splits out fernet-push.sh from the fernet-rotate.sh
    script, then calls fernet-push.sh after the fernet bootstrap
    performed in deploy.

    Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e
    Closes-Bug: #1833729

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/669132

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/stein)

Reviewed: https://review.opendev.org/669132
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=61406fe9251f63c05c5423511a8d480c8d7d6433
Submitter: Zuul
Branch: stable/stein

commit 61406fe9251f63c05c5423511a8d480c8d7d6433
Author: Mark Goddard <email address hidden>
Date: Fri Jun 21 16:52:18 2019 +0100

    Don't rotate keystone fernet keys during deploy

    When running deploy or reconfigure for Keystone,
    ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml,
    which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage
    fernet_rotate.

    This means that a token can become invalid if the operator runs
    deploy or reconfigure too often.

    This change splits out fernet-push.sh from the fernet-rotate.sh
    script, then calls fernet-push.sh after the fernet bootstrap
    performed in deploy.

    Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e
    Closes-Bug: #1833729
    (cherry picked from commit 09e29d0db9b895b97470c9c8a60442b980a3eb3c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/670288

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/670289

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/queens)

Reviewed: https://review.opendev.org/670289
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=c68cc2c66392e3fe791fc1aba95d20ac5becbc37
Submitter: Zuul
Branch: stable/queens

commit c68cc2c66392e3fe791fc1aba95d20ac5becbc37
Author: Mark Goddard <email address hidden>
Date: Fri Jun 21 16:52:18 2019 +0100

    Don't rotate keystone fernet keys during deploy

    When running deploy or reconfigure for Keystone,
    ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml,
    which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage
    fernet_rotate.

    This means that a token can become invalid if the operator runs
    deploy or reconfigure too often.

    This change splits out fernet-push.sh from the fernet-rotate.sh
    script, then calls fernet-push.sh after the fernet bootstrap
    performed in deploy.

    Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e
    Closes-Bug: #1833729
    (cherry picked from commit 09e29d0db9b895b97470c9c8a60442b980a3eb3c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/rocky)

Reviewed: https://review.opendev.org/670288
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=099417d8a83dbbd85c6b0d07a00184ac35e5ba55
Submitter: Zuul
Branch: stable/rocky

commit 099417d8a83dbbd85c6b0d07a00184ac35e5ba55
Author: Mark Goddard <email address hidden>
Date: Fri Jun 21 16:52:18 2019 +0100

    Don't rotate keystone fernet keys during deploy

    When running deploy or reconfigure for Keystone,
    ansible/roles/keystone/tasks/deploy.yml calls init_fernet.yml,
    which runs /usr/bin/fernet-rotate.sh, which calls keystone-manage
    fernet_rotate.

    This means that a token can become invalid if the operator runs
    deploy or reconfigure too often.

    This change splits out fernet-push.sh from the fernet-rotate.sh
    script, then calls fernet-push.sh after the fernet bootstrap
    performed in deploy.

    Change-Id: I824857ddfb1dd026f93994a4ac8db8f80e64072e
    Closes-Bug: #1833729
    (cherry picked from commit 09e29d0db9b895b97470c9c8a60442b980a3eb3c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 8.0.0.0rc2

This issue was fixed in the openstack/kolla-ansible 8.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 6.2.2

This issue was fixed in the openstack/kolla-ansible 6.2.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 7.1.2

This issue was fixed in the openstack/kolla-ansible 7.1.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 9.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 9.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.