← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #33767

[Bug 1465444] [NEW] Fernet key rotation removing keys early

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When setting up Fernet key rotation with a maximum number of active of
keys set to 25, it turned out that 'keystone-manage fernet_rotate'
started deleting two keys once there reached 13 existing keys. It would
waver between 12 and 13 keys every time it was rotated. It looks like
this might be related to the range of keys to remove being negative :

excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1])
.. ends up being excess_keys = ( keys[:-11] )
.. which seems to be dipping back into the range of keys that should still be good and removing those.

Adding something like: "if len(key_files) -
CONF.fernet_tokens.max_active_keys + 1 >= 0" for the purge excess keys
section seemed to allow us to generate all 25 keys, then rotate as
normal. Once we hit the full 25 keys, this additional line was no longer
needed.

Attaching some log information showing the available keys going from 12,
13, 12, 13.

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "fernet.txt"
   https://bugs.launchpad.net/bugs/1465444/+attachment/4415339/+files/fernet.txt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1465444

Title:
  Fernet key rotation removing keys early

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When setting up Fernet key rotation with a maximum number of active of
  keys set to 25, it turned out that 'keystone-manage fernet_rotate'
  started deleting two keys once there reached 13 existing keys. It
  would waver between 12 and 13 keys every time it was rotated. It looks
  like this might be related to the range of keys to remove being
  negative :

  excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1])
  .. ends up being excess_keys = ( keys[:-11] )
  .. which seems to be dipping back into the range of keys that should still be good and removing those.

  Adding something like: "if len(key_files) -
  CONF.fernet_tokens.max_active_keys + 1 >= 0" for the purge excess keys
  section seemed to allow us to generate all 25 keys, then rotate as
  normal. Once we hit the full 25 keys, this additional line was no
  longer needed.

  Attaching some log information showing the available keys going from
  12, 13, 12, 13.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1465444/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next