1325541 – [RFE][keystone] Fernet Token Support

Bug 1325541 - [RFE][keystone] Fernet Token Support

Summary: [RFE][keystone] Fernet Token Support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	10.0 (Newton)
Assignee:	Adam Young
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1336533 1382799 1382803
TreeView+	depends on / blocked

Reported:	2016-04-09 20:20 UTC by Adam Young
Modified:	2016-12-14 15:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-keystone-10.0.0-1.el7ost
Doc Type:	Enhancement
Doc Text:
Clone Of:
Clones:	1382799 1382803 (view as bug list)
Environment:
Last Closed:	2016-12-14 15:32:00 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:2948	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 enhancement update	2016-12-14 19:55:27 UTC
OpenStack gerrit	258650	None	None	None	2016-04-09 20:20:55 UTC

Description Adam Young 2016-04-09 20:20:55 UTC

Description of problem:

Fernet tokens are not default in upstream Mitaka due to several unit tests failing.  Once these have been resolved, the changes required should be backported to ship with OSP 8.

Comment 2 Adam Young 2016-09-02 17:43:00 UTC

This needs a spec for Tripleo, as there is no support for deploying and syncing keys.

it might be possible to do in a manual process, but will not be default, or managed, by openstack overcloud deploy.

Comment 3 Mark McLoughlin 2016-09-05 12:29:00 UTC

Upstream discussion on key rotation: http://lists.openstack.org/pipermail/openstack-dev/2016-August/101262.html

Comment 4 Adam Young 2016-09-07 22:34:04 UTC

A series of reviews in Puppet, Heat, and Tripleo look likely to make this a reality, or at least much closer.

https://review.openstack.org/#/q/topic:keystone/credentials

Comment 5 Nathan Kinder 2016-09-22 19:39:39 UTC

(In reply to Adam Young from comment #4)
> A series of reviews in Puppet, Heat, and Tripleo look likely to make this a
> reality, or at least much closer.
> 
> https://review.openstack.org/#/q/topic:keystone/credentials

These did not actually implement Fernet support, so more work is needed here.

Comment 13 errata-xmlrpc 2016-12-14 15:32:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.