Page MenuHomePhabricator
Create Task
Maniphest T243418

Convert keystone from uuid tokens to fernet tokens
Closed, ResolvedPublic
Actions

Description

UUID tokens are 'deprecated in Pike' which means we should move off of them soon. Fernet tokens have some advantages.

https://docs.openstack.org/keystone/queens/admin/identity-tokens.html
https://docs.openstack.org/newton/admin-guide/identity-fernet-token-faq.html

I don't yet know what the upgrade path will look like for this, but I don't think that client code will need to be modified.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Keystone: remove openstack::keystone::cleanupoperations/puppetproduction+0 -118
openstack::keystone::cleanup: remove all timersoperations/puppetproduction+4 -7
Keystone: switch from UUID tokens to fernet tokensoperations/puppetproduction+1 -2
keystone fernet key rotation: delete files during rsyncoperations/puppetproduction+1 -1
keystone key sync: update rsync remote pathoperations/puppetproduction+3 -3
Keystone: rotate and sync fernet tokensoperations/puppetproduction+82 -0
Keystone: set max_active_keys for fernet tokensoperations/puppetproduction+2 -0
Customize query in gerrit

Event Timeline

Andrew created this task.Jan 22 2020, 2:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2020, 2:42 PM
Andrew added a comment.EditedJan 22 2020, 2:42 PM

Looks like uuid is still supported in Queens but removed in Rocky.

Paladox subscribed.Jan 22 2020, 2:53 PM
gerritbot added a comment.Feb 6 2020, 3:16 AM

Change 570507 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Keystone: set max_active_keys for fernet tokens

https://gerrit.wikimedia.org/r/570507

gerritbot added a project: Patch-For-Review.Feb 6 2020, 3:16 AM
gerritbot added a comment.Feb 6 2020, 6:36 AM

Change 570521 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Keystone: rotate and sync fernet tokens

https://gerrit.wikimedia.org/r/570521

gerritbot added a comment.Feb 6 2020, 6:53 PM

Change 570507 merged by Andrew Bogott:
[operations/puppet@production] Keystone: set max_active_keys for fernet tokens

https://gerrit.wikimedia.org/r/570507

gerritbot added a comment.Feb 6 2020, 6:57 PM

Change 570521 merged by Andrew Bogott:
[operations/puppet@production] Keystone: rotate and sync fernet tokens

https://gerrit.wikimedia.org/r/570521

Maintenance_bot removed a project: Patch-For-Review.Feb 6 2020, 7:10 PM
gerritbot added a comment.Feb 7 2020, 3:32 PM

Change 570908 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] keystone key sync: update rsync remote path

https://gerrit.wikimedia.org/r/570908

gerritbot added a project: Patch-For-Review.Feb 7 2020, 3:32 PM
gerritbot added a comment.Feb 7 2020, 3:35 PM

Change 570908 merged by Andrew Bogott:
[operations/puppet@production] keystone key sync: update rsync remote path

https://gerrit.wikimedia.org/r/570908

Maintenance_bot removed a project: Patch-For-Review.Feb 7 2020, 4:10 PM
Bstorm triaged this task as Medium priority.Feb 11 2020, 4:12 PM
Bstorm moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
gerritbot added a comment.Feb 15 2020, 4:00 PM

Change 572413 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] keystone fernet key rotation: delete files during rsync

https://gerrit.wikimedia.org/r/572413

gerritbot added a project: Patch-For-Review.Feb 15 2020, 4:00 PM
gerritbot added a comment.Feb 15 2020, 4:30 PM

Change 572413 merged by Andrew Bogott:
[operations/puppet@production] keystone fernet key rotation: delete files during rsync

https://gerrit.wikimedia.org/r/572413

Maintenance_bot removed a project: Patch-For-Review.Feb 15 2020, 5:10 PM
gerritbot added a comment.Feb 17 2020, 4:12 AM

Change 572507 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Keystone: switch from UUID tokens to fernet tokens

https://gerrit.wikimedia.org/r/572507

gerritbot added a project: Patch-For-Review.Feb 17 2020, 4:12 AM
gerritbot added a comment.Feb 18 2020, 3:04 PM

Change 572507 merged by Andrew Bogott:
[operations/puppet@production] Keystone: switch from UUID tokens to fernet tokens

https://gerrit.wikimedia.org/r/572507

Maintenance_bot removed a project: Patch-For-Review.Feb 18 2020, 3:10 PM
Andrew closed this task as Resolved.Feb 18 2020, 3:31 PM
gerritbot added a comment.Apr 18 2020, 5:08 PM

Change 589876 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Keystone: remove openstack::keystone::cleanup

https://gerrit.wikimedia.org/r/589876

gerritbot added a project: Patch-For-Review.Apr 18 2020, 5:08 PM
gerritbot added a comment.Apr 18 2020, 5:12 PM

Change 589877 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] openstack::keystone::cleanup: remove all timers

https://gerrit.wikimedia.org/r/589877

gerritbot added a comment.Apr 20 2020, 1:58 AM

Change 589877 merged by Andrew Bogott:
[operations/puppet@production] openstack::keystone::cleanup: remove all timers

https://gerrit.wikimedia.org/r/589877

gerritbot added a comment.Apr 20 2020, 2:44 AM

Change 589876 merged by Andrew Bogott:
[operations/puppet@production] Keystone: remove openstack::keystone::cleanup

https://gerrit.wikimedia.org/r/589876

Maintenance_bot removed a project: Patch-For-Review.Apr 20 2020, 3:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits