Hello, Matt,

Thank you for your reply, just as what you mentioned, for the slow changed 
data, aync. replication should work. My concerns is that the impact of 
replication delay, for example (though it's quite low chance to happen):

1) Add new user/group/role in RegionOne, before the new user/group/role are 
replicated to RegionTwo, the new user begin to access RegionTwo service, then 
because the data has not arrived yet, the user's request to RegionTwo may be 
rejected for the token vaildation failed in local KeyStone.

2)In token revoke case. If we remove the user'role in RegionOne, the token in 
RegionOne will be invalid immediately, but before the remove operation 
replicated to the RegionTwo, the user can still use the token to access the 
services in RegionTwo. Although it may last in very short interval.

Is there someone can evaluate the security risk is affordable or not.

Best Regards
Chaoyi Huang (joehuang)
From: Matt Fischer [m...@mattfischer.com]
Sent: 25 February 2017 11:38
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [keystone]PKI token VS Fernet token

At last, we still have one question:
For public cloud, it is very common that multi regions are deployed. And the 
distance is usually very far between the regions. So the transport delay is 
really a problem. Fernet token requires the data must be the same. Because of 
the slow connection and high time delay, in our opinion, it is unrealistic that 
let the keystones from different regions to use the same keystone datacenter. 
Any idea about this problem? Thanks.

There's nothing in Fernet tokens that would cause an issue with the 
transportation delay. You could mail the Fernet keys to each region and you're 
still fine, why? Because key rotation means that the "next key" is already in 
place on every box when you rotate keys. There is a widely held misconception 
that all keystone nodes must instantaneously sync keys in every region or it 
won't work, that is simply not true. In fact the main reason we switched to 
Fernet was to REDUCE the load on our cross-region replication. Without a 
database full of tokens to deal with, there's basically nothing to replicate as 
joe says below. User/group/role changes for us was more of a few times a day 
operation rather than getting a token which is thousands of times per second.

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to