Bug 1625367

Summary:	Do we support caching of fernet tokens?
Product:	Red Hat OpenStack	Reporter:	Alex Stupnikov <astupnik>
Component:	openstack-keystone	Assignee:	Harry Rybacki <hrybacki>
Status:	CLOSED ERRATA	QA Contact:	Jeremy Agee <jagee>
Severity:	high	Docs Contact:
Priority:	high
Version:	10.0 (Newton)	CC:	alee, astupnik, cswanson, dwilde, fosliffebernie, ggrasza, jagee, jschluet, jsisul, jwakely, nkinder, nlevinki, rheslop, srevivo
Target Milestone:	ga	Keywords:	TestOnly, Triaged
Target Release:	17.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-09-21 12:07:40 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alex Stupnikov 2018-09-04 18:08:57 UTC

It is known that caching of fernet tokens provides 50%+ performance increase, but it also could break authentication service in case of any serious issue. Current documentation [1] doesn't contain any details about configuring [cache] section in keystone.conf.

Our partner is concerned if we support the environments with the following configuration parameters in keystone.conf:

/etc/keystone/keystone.conf::cache::backend oslo_cache.memcache_pool
/etc/keystone/keystone.conf::cache::memcache_servers 1.1.1.1:11211,1.1.1.2:11211,1.1.1.3:11211
/etc/keystone/keystone.conf::cache::enabled true
/etc/keystone/keystone.conf::token::caching true

Please treat this bug as one with high priority: it could have serious business impact.

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/configuration_reference/ch_configuring-openstack-identity

Comment 1 Alex Stupnikov 2018-09-04 18:12:12 UTC

Here is official configuration guide for fernet tokens in RHOSP 10:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/deploy_fernet_on_the_overcloud/

Comment 35 errata-xmlrpc 2022-09-21 12:07:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Comment 36 Mia Doherty 2023-02-23 10:13:34 UTC Comment hidden (spam)

As a result, all types of tokens benefit from caching, including Fernet tokens. Although Fernet tokens do not need to be persisted, they should still be cached for optimal token validation performance.

https://www.novitasphere.us/

Comment 37 Mia Doherty 2023-02-23 10:14:02 UTC Comment hidden (spam)

As a result, all types of tokens benefit from caching, including Fernet tokens. Although Fernet tokens do not need to be persisted, they should still be cached for optimal token validation performance.

https://www.novitasphere.us/