Use fernet tokens with keystone
Fernet tokens have a large advantage over UUID in terms of token generation. They are virtually instantly generated. Validation is the same speed, if not just a bit slower. However, this prevents needing to store tokens in the database (and clean tokens out of the database) resulting in a huge net gain for performance in a lot of ways.
I recommend we use it as the default token driver for Mitaka
Blueprint information
- Status:
- Complete
- Approver:
- Steven Dake
- Priority:
- Essential
- Drafter:
- Sam Yaple
- Direction:
- Approved
- Assignee:
- Shaun Smekel
- Definition:
- Approved
- Series goal:
- Accepted for newton
- Implementation:
-
Implemented
- Milestone target:
-
newton-3
- Started by
- Steven Dake
- Completed by
- Swapnil Kulkarni
Related branches
Related bugs
Sprints
Whiteboard
seems a little late to change all token generation in kolla to something that isn't really proven tech in a RC. --sdake
Agreed, I don't remember exactly what I was thinking, but I am almost positive I meant the default token driver for Mitaka, not Liberty. I just wanted it included in Liberty. Either way that is what it says now. --SamYaple
It would be great if we can jam this into Mitaka - although I know everyone is overloaded and the request is coming late. --sdake
This blueprint is far from complete given the TODO items in the work items, so bouncing to newton 1. --sdake
moving to newton-3 expected to be released on 2016-09-02. Please try to finish it before that otherwise it will be moved to Octata. - coolsvap
Gerrit topic: https:/
Addressed by: https:/
Fernet Key Implementation [WIP]
Addressed by: https:/
Add full support for fernet [WIP]
Addressed by: https:/
Add dockerfiles for keystone fernet
Addressed by: https:/
Urgent: Fixes build failures
Work Items
Work items:
Provide config options for all services in an {{if}} based on what the token driver is: TODO
Provide playbook for rotating the keys around. NOTE(SamYaple): The ceph fetch.py should help here alot: TODO
