第1章 Using Fernet keys for encryption in the overcloud
Fernet is the default token provider, that replaces uuid
. You can review your Fernet deployment and rotate the Fernet keys.
1.1. Reviewing the Fernet deployment
Review your configuration to confirm that Fernet tokens are working correctly.
Procedure
Retrieve the IP address of the controller node:
[stack@director ~]$ source ~/stackrc [stack@director ~]$ openstack server list
--------------------------------------
---------------------------------
---------------------+ | ID | Name | Status | Networks |--------------------------------------
---------------------------------
---------------------+ | 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0 | ACTIVE | ctlplane=192.0.2.16 | | 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8 |--------------------------------------
---------------------------------
---------------------+SSH into the Controller node:
[heat-admin@overcloud-controller-0 ~]$ ssh heat-admin@192.0.2.16
Retrieve the values of the token driver and provider settings:
[heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token driver sql [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token provider fernet
Test the Fernet provider:
[heat-admin@overcloud-controller-0 ~]$ exit [stack@director ~]$ source ~/overcloudrc [stack@director ~]$ openstack token issue
------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value |------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2016-09-20 05:26:17+00:00 | | id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 | | project_id | 26156621d0d54fc39bf3adb98e63b63d | | user_id | 397daf32cadd490a8f3ac23a626ac06c |------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+The result includes the long Fernet token.