tripleo

Specified fernet token keys are not utilised

Bug #1634828 reported by Rhys Oxenham on 2016-10-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Low	Unassigned	tripleo ocata-3 "ocata-3"

Bug Description

Unfortunately, despite setting the fernet tokens in an environment file used with TripleO, they're not used as expected, and therefore if using a multi-site configuration, one token issued by one site is not automatically valid in another. Inside of the configuration we use the following parameters for fernet:

    # Enable fernet tokens
    keystone::enable_fernet_setup: true
    keystone::token_provider: 'fernet'

    # Set the fernet token keys
    keystone::fernet_keys:
      '/etc/keystone/fernet-keys/0':
        content: 'pTZtu4rmWkYGVpvamj3iysQkBknw026KixVzN-ybBKI='
      '/etc/keystone/fernet-keys/1':
        content: 'IOV0IUtppYRei_B8NxWDw-RNfMGUmCeYSPofOH4QFPY='

Yet when deployed, we see the following:

[root@region-one-controller-0 ~]# cat /etc/keystone/fernet-keys/0; echo
tWmKQ_qrzVoh1er4WdkuNbYhkw26mP8rVEMuZJpzlko=

[root@region-one-controller-0 ~]# cat /etc/keystone/fernet-keys/1; echo
ir7crS67c-_sLNrsrgGjHWiuFqP1lrSpWuAr8X0pWys=

It's my belief that when the 'keystone::enable_fernet_setup: true' option is invoked, it creates new keys automatically, and potentially ignores, or even overwrites the ones that we attempt it to utilise as per the TripleO configuration. Therefore, the only workaround I've found is to either script it as a post-deployment hook, or to manually copy the key files between the resulting regions, which obviously has problems if we decide to add other regions, or other controllers to an existing region. Thanks!

Rhys Oxenham (rdoxenham) on 2016-10-19

Changed in tripleo:
importance:	Undecided → Low

Revision history for this message

Rhys Oxenham (rdoxenham) wrote on 2016-10-19:

Upon reflection, this is likely a bug in puppet-keystone, not TripleO. Thoughts?

Revision history for this message

Alex Schultz (alex-schultz) wrote on 2016-10-19:

I was unable to confirm this. I used the provided information in a deploy and the deployment used the keys. Can you provide additional version information around your environment?

Using the current master heat templates, the expected files were created. See http://paste.openstack.org/show/586470/

Changed in tripleo:
status:	New → Incomplete

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-14: Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/397391

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-01-14:

[Expired for tripleo because there has been no activity for 60 days.]

Changed in tripleo:
status:	Incomplete → Expired

Emilien Macchi (emilienm) on 2017-01-15

Changed in tripleo:
status:	Expired → Fix Released
milestone:	none → ocata-3

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.