Red Hat SummitDeploy Fernet on the Overcloud
Deploy Fernet on the Red Hat OpenStack Platform director overcloud
Abstract
Chapter 1. Using Fernet Tokens in the Overcloud
Fernet is now the default token provider, replacing uuid. This guide describes how to review your Fernet deployment, and how to rotate the Fernet keys.
1.1. Review the Fernet Deployment
This procedure reviews your configuration to confirm that Fernet tokens are working correctly.
Retrieve the IP address of the controller node.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow source ~/stackrc openstack server list
[stack@director ~]$ source ~/stackrc [stack@director ~]$ openstack server list +--------------------------------------+-------------------------+--------+---------------------+ | ID | Name | Status | Networks | +--------------------------------------+-------------------------+--------+---------------------+ | 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0 | ACTIVE | ctlplane=192.0.2.16 | | 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8 | +--------------------------------------+-------------------------+--------+---------------------+SSH to the controller.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ssh heat-admin@192.0.2.16
[heat-admin@overcloud-controller-0 ~]$ ssh heat-admin@192.0.2.16Retrieve the values of the token driver and provider settings.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token driver sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token provider
[heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token driver sql [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token provider fernetTest the Fernet provider.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow exit source ~/overcloudrc openstack token issue
[heat-admin@overcloud-controller-0 ~]$ exit [stack@director ~]$ source ~/overcloudrc [stack@director ~]$ openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2016-09-20 05:26:17+00:00 | | id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 | | project_id | 26156621d0d54fc39bf3adb98e63b63d | | user_id | 397daf32cadd490a8f3ac23a626ac06c | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+The result should include the long Fernet token.
1.2. Rotate the Fernet keys
Red Hat recommends erring on the side of security when considering the length of rotation cycles, as the rotation process can be performed with relative ease. If you don’t have any guidance from your security posture, a monthly rotation cycle is a good starting point.
Fernet uses three types of keys, which are stored in /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys. The highest-numbered directory contains the primary key, which is used to generate new tokens and decrypt existing ones.
During the key rotation process, the primary key is relegated to secondary key status, and a new primary key is issued, thereby reducing the value of a compromised primary key. Secondary keys can only be used to decrypt tokens that were created with previous primary keys, and cannot issue new ones.
1.2.1. Rotate the Fernet Keys Using Mistral
By default, director is configured to manage the overcloud’s Fernet keys; this setting is managed in the environment file using ManageKeystoneFernetKeys. As a result, the Fernet keys are stored in Mistral (under KeystoneFernetKeys). This approach means that you can rotate the Fernet keys with Mistral, and they will still persist after stack updates.
Review the existing Fernet keys.
Identify the Fernet key location.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow SSH back to the controller
# SSH back to the controller [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf fernet_tokens key_repository /etc/keystone/fernet-keysNoteThe
/etc/keystone/directory refers to the container file system path.Review the current Fernet key directories.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys
[heat-admin@overcloud-controller-0 ~]$ sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys 0 1 2-
0- Contains the staged key, (which becomes the next primary key) and will always be numbered0. -
1- Contains the secondary key. 2- Contains the primary key. This number will increment each time the keys are rotated, with the highest number always serving as the primary key.Note- The maximum number of keys is determined by the max_active_keys property, by default 5 keys.
- The keys are propagated across all controllers.
-
Rotate the Fernet keys using the Mistral workflow.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow source ~/stackrc openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "overcloud"}'[stack@director ~]$ source ~/stackrc [stack@director ~]$ openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "overcloud"}' +-------------------+-------------------------------------------+ | Field | Value | +-------------------+-------------------------------------------+ | ID | 58c9c664-b966-4f82-b368-af5ed8de5b47 | | Workflow ID | 78f0990a-3d34-4bf2-a127-10c149bb275c | | Workflow name | tripleo.fernet_keys.v1.rotate_fernet_keys | | Description | | | Task Execution ID | <none> | | State | RUNNING | | State info | None | | Created at | 2017-12-20 11:13:50 | | Updated at | 2017-12-20 11:13:50 | +-------------------+-------------------------------------------+Get the ID and ensure that the workflow was executed successfully.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow openstack workflow execution show 58c9c664-b966-4f82-b368-af5ed8de5b47
[stack@director ~]$ openstack workflow execution show 58c9c664-b966-4f82-b368-af5ed8de5b47 +-------------------+-------------------------------------------+ | Field | Value | +-------------------+-------------------------------------------+ | ID | 58c9c664-b966-4f82-b368-af5ed8de5b47 | | Workflow ID | 78f0990a-3d34-4bf2-a127-10c149bb275c | | Workflow name | tripleo.fernet_keys.v1.rotate_fernet_keys | | Description | | | Task Execution ID | <none> | | State | SUCCESS | | State info | None | | Created at | 2017-12-20 11:13:50 | | Updated at | 2017-12-20 11:15:00 | +-------------------+-------------------------------------------+On the controller, review the number of Fernet keys, and compare with the previous result.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys
[heat-admin@overcloud-controller-0 ~]$ sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys 0 1 2 3-
0- Contains the staged key, and will always be numbered0. This key will be promoted to a primary key during the next rotation. -
1 & 2- Contain the secondary keys. 3- Contains the primary key. This number will increment each time the keys are rotated, with the highest number always serving as the primary key.Note- The maximum number of keys is determined by the max_active_keys property, by default 5 keys.
- The keys are propagated across all controllers.
-
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}