Specified fernet token keys are not utilised

Bug #1634828 reported by Rhys Oxenham on 2016-10-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Low
Unassigned

Bug Description

Unfortunately, despite setting the fernet tokens in an environment file used with TripleO, they're not used as expected, and therefore if using a multi-site configuration, one token issued by one site is not automatically valid in another. Inside of the configuration we use the following parameters for fernet:

    # Enable fernet tokens
    keystone::enable_fernet_setup: true
    keystone::token_provider: 'fernet'

    # Set the fernet token keys
    keystone::fernet_keys:
      '/etc/keystone/fernet-keys/0':
        content: 'pTZtu4rmWkYGVpvamj3iysQkBknw026KixVzN-ybBKI='
      '/etc/keystone/fernet-keys/1':
        content: 'IOV0IUtppYRei_B8NxWDw-RNfMGUmCeYSPofOH4QFPY='

Yet when deployed, we see the following:

[root@region-one-controller-0 ~]# cat /etc/keystone/fernet-keys/0; echo
tWmKQ_qrzVoh1er4WdkuNbYhkw26mP8rVEMuZJpzlko=

[root@region-one-controller-0 ~]# cat /etc/keystone/fernet-keys/1; echo
ir7crS67c-_sLNrsrgGjHWiuFqP1lrSpWuAr8X0pWys=

It's my belief that when the 'keystone::enable_fernet_setup: true' option is invoked, it creates new keys automatically, and potentially ignores, or even overwrites the ones that we attempt it to utilise as per the TripleO configuration. Therefore, the only workaround I've found is to either script it as a post-deployment hook, or to manually copy the key files between the resulting regions, which obviously has problems if we decide to add other regions, or other controllers to an existing region. Thanks!

Rhys Oxenham (rdoxenham) on 2016-10-19
Changed in tripleo:
importance: Undecided → Low
Rhys Oxenham (rdoxenham) wrote :

Upon reflection, this is likely a bug in puppet-keystone, not TripleO. Thoughts?

Alex Schultz (alex-schultz) wrote :

I was unable to confirm this. I used the provided information in a deploy and the deployment used the keys. Can you provide additional version information around your environment?

Using the current master heat templates, the expected files were created. See http://paste.openstack.org/show/586470/

Changed in tripleo:
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for tripleo because there has been no activity for 60 days.]

Changed in tripleo:
status: Incomplete → Expired
Changed in tripleo:
status: Expired → Fix Released
milestone: none → ocata-3
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers