[Yahoo-eng-team] [Bug 1465444] Re: Fernet key rotation removing keys early
** Changed in: keystone/kilo Status: Fix Released => Fix Committed ** Changed in: keystone/kilo Milestone: 2015.1.2 => 2015.1.3 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1465444 Title: Fernet key rotation removing keys early Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) kilo series: Fix Committed Bug description: When setting up Fernet key rotation with a maximum number of active of keys set to 25, it turned out that 'keystone-manage fernet_rotate' started deleting two keys once there reached 13 existing keys. It would waver between 12 and 13 keys every time it was rotated. It looks like this might be related to the range of keys to remove being negative : excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1]) .. ends up being excess_keys = ( keys[:-11] ) .. which seems to be dipping back into the range of keys that should still be good and removing those. Adding something like: "if len(key_files) - CONF.fernet_tokens.max_active_keys + 1 >= 0" for the purge excess keys section seemed to allow us to generate all 25 keys, then rotate as normal. Once we hit the full 25 keys, this additional line was no longer needed. Attaching some log information showing the available keys going from 12, 13, 12, 13. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465444/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1465444] Re: Fernet key rotation removing keys early
** Changed in: keystone/kilo Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1465444 Title: Fernet key rotation removing keys early Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) kilo series: Fix Released Bug description: When setting up Fernet key rotation with a maximum number of active of keys set to 25, it turned out that 'keystone-manage fernet_rotate' started deleting two keys once there reached 13 existing keys. It would waver between 12 and 13 keys every time it was rotated. It looks like this might be related to the range of keys to remove being negative : excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1]) .. ends up being excess_keys = ( keys[:-11] ) .. which seems to be dipping back into the range of keys that should still be good and removing those. Adding something like: "if len(key_files) - CONF.fernet_tokens.max_active_keys + 1 >= 0" for the purge excess keys section seemed to allow us to generate all 25 keys, then rotate as normal. Once we hit the full 25 keys, this additional line was no longer needed. Attaching some log information showing the available keys going from 12, 13, 12, 13. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465444/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1465444] Re: Fernet key rotation removing keys early
** Changed in: keystone/kilo Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1465444 Title: Fernet key rotation removing keys early Status in Keystone: Fix Released Status in Keystone kilo series: Fix Released Bug description: When setting up Fernet key rotation with a maximum number of active of keys set to 25, it turned out that 'keystone-manage fernet_rotate' started deleting two keys once there reached 13 existing keys. It would waver between 12 and 13 keys every time it was rotated. It looks like this might be related to the range of keys to remove being negative : excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1]) .. ends up being excess_keys = ( keys[:-11] ) .. which seems to be dipping back into the range of keys that should still be good and removing those. Adding something like: "if len(key_files) - CONF.fernet_tokens.max_active_keys + 1 >= 0" for the purge excess keys section seemed to allow us to generate all 25 keys, then rotate as normal. Once we hit the full 25 keys, this additional line was no longer needed. Attaching some log information showing the available keys going from 12, 13, 12, 13. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465444/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1465444] Re: Fernet key rotation removing keys early
** Also affects: keystone/kilo Importance: Undecided Status: New ** Changed in: keystone/kilo Status: New = In Progress ** Changed in: keystone/kilo Importance: Undecided = High ** Changed in: keystone/kilo Assignee: (unassigned) = Dolph Mathews (dolph) ** Tags removed: kilo-backport-potential -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1465444 Title: Fernet key rotation removing keys early Status in Keystone: Fix Released Status in Keystone kilo series: In Progress Bug description: When setting up Fernet key rotation with a maximum number of active of keys set to 25, it turned out that 'keystone-manage fernet_rotate' started deleting two keys once there reached 13 existing keys. It would waver between 12 and 13 keys every time it was rotated. It looks like this might be related to the range of keys to remove being negative : excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1]) .. ends up being excess_keys = ( keys[:-11] ) .. which seems to be dipping back into the range of keys that should still be good and removing those. Adding something like: if len(key_files) - CONF.fernet_tokens.max_active_keys + 1 = 0 for the purge excess keys section seemed to allow us to generate all 25 keys, then rotate as normal. Once we hit the full 25 keys, this additional line was no longer needed. Attaching some log information showing the available keys going from 12, 13, 12, 13. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465444/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1465444] Re: Fernet key rotation removing keys early
** Changed in: keystone Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1465444 Title: Fernet key rotation removing keys early Status in OpenStack Identity (Keystone): Fix Released Bug description: When setting up Fernet key rotation with a maximum number of active of keys set to 25, it turned out that 'keystone-manage fernet_rotate' started deleting two keys once there reached 13 existing keys. It would waver between 12 and 13 keys every time it was rotated. It looks like this might be related to the range of keys to remove being negative : excess_keys = ( keys[:len(key_files) - CONF.fernet_tokens.max_active_keys + 1]) .. ends up being excess_keys = ( keys[:-11] ) .. which seems to be dipping back into the range of keys that should still be good and removing those. Adding something like: if len(key_files) - CONF.fernet_tokens.max_active_keys + 1 = 0 for the purge excess keys section seemed to allow us to generate all 25 keys, then rotate as normal. Once we hit the full 25 keys, this additional line was no longer needed. Attaching some log information showing the available keys going from 12, 13, 12, 13. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465444/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
