yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1555137] Re: Transition from UUID/PKI to Fernet without dumping all tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1555137@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Nov 2016 16:30:08 -0000
Reply-to: Bug 1555137 <1555137@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Fernet was the recommended token in Newton and the default in Ocata.
Only in Ocata do we actually support zero downtime upgrades, so you'll
have to restart keystone and have downtime between upgrades anyway. This
should be done as part of a maintenance window. I'm marking this as
WONTFIX because i don't believe anyone on the core team will fix the
issue and in Ocata and Pike (when fernet is default), this won't be an
issue.

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1555137

Title:
  Transition from UUID/PKI to Fernet without dumping all tokens

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  To minimize downtime, the conversion from persisted to ephemeral
  tokens should happen in two steps.  The first migrates tokens over to
  the Fernet format, but will fall back to persisted store if the
  requested token is not in Fernet format.  The second removes
  persistence.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1555137/+subscriptions

References

[Bug 1555137] [NEW] Transition from UUID/PKI to Fernet without dumping all tokens
From: Adam Young, 2016-03-09