Unhardcode allow_expired_window directive Sets up allow_expired_window from pillar if defined Change-Id: If83bedf3ad7dd8a57ce6aa05369bdf0e53188e85 Related-Prod: PROD-27591

commit: 49a50833cc96fb2eb775547af1d39a414fc2756b [log] [tgz]
author: Oleksandr Bryndzii <obryndzii@mirantis.com> Tue Feb 26 15:38:54 2019 +0200
committer: Oleksandr Bryndzii <obryndzii@mirantis.com> Fri Mar 01 18:34:53 2019 +0200
tree: 8b0dcaf706f08a9ecbdb524402e3bda0025d8905
parent: 72f5708eb98227fff74092c80a1649bda327f31d [diff]
diff --git a/README.rst b/README.rst
index 5a0fedf..53d0198 100644
--- a/README.rst
+++ b/README.rst

@@ -869,6 +869,32 @@
 You can read more about it here:
     https://docs.openstack.org/security-guide/databases/database-access-control.html
 
+Enhanced max_active_keys setup
+------------------------------
+
+Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys`` set too low,
+will cause tokens to become invalid prior to their expiration. As tokens may be fetched
+beyond their initial expiration period, keys should not be fully rotated within the
+period of ``[token] expiration`` + ``[token] allow_expired_window`` seconds to prevent the
+tokens becoming unavailable. As an example, the max_active_keys default value can be
+adjusted according to the following specified values:
+``[token] allow_expired_window`` = 86400 (24 hours)
+``[token] expiration`` = 3600 (1 hour)
+rotation_frequency = 1 (1 hour)
+``[fernet_token]max_active_keys`` = (24 + 1)/1 + 2 = 27
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        ...
+        tokens:
+          engine: fernet
+          expiration: 3600
+          allow_expired_window: 86400
+          max_active_keys: 27
+        ...
+
 Upgrades
 ========
 

diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 70047dd..3158842 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian

@@ -3060,6 +3060,9 @@
 # the built-in expiry time. This allows long running operations to succeed.
 # Defaults to two days. (integer value)
 #allow_expired_window = 172800
+{%- if server.tokens.allow_expired_window is defined %}
+allow_expired_window = {{ server.tokens.allow_expired_window }}
+{%- endif %}
 
 hash_algorithm = {{ server.hash_algorithm }}
 

diff --git a/keystone/files/pike/keystone.conf.Debian b/keystone/files/pike/keystone.conf.Debian
index 8693cdd..f2d2fbd 100644
--- a/keystone/files/pike/keystone.conf.Debian
+++ b/keystone/files/pike/keystone.conf.Debian

@@ -3078,6 +3078,9 @@
 # the built-in expiry time. This allows long running operations to succeed.
 # Defaults to two days. (integer value)
 #allow_expired_window = 172800
+{%- if server.tokens.allow_expired_window is defined %}
+allow_expired_window = {{ server.tokens.allow_expired_window }}
+{%- endif %}
 
 hash_algorithm = {{ server.hash_algorithm }}
 

diff --git a/keystone/files/queens/keystone.conf.Debian b/keystone/files/queens/keystone.conf.Debian
index c4d0c1b..492bb4f 100644
--- a/keystone/files/queens/keystone.conf.Debian
+++ b/keystone/files/queens/keystone.conf.Debian

@@ -1687,6 +1687,9 @@
 # for beyond the built-in expiry time. This allows long running
 # operations to succeed. Defaults to two days. (integer value)
 #allow_expired_window = 172800
+{%- if server.tokens.allow_expired_window is defined %}
+allow_expired_window = {{ server.tokens.allow_expired_window }}
+{%- endif %}
 
 hash_algorithm = {{ server.hash_algorithm }}
 

diff --git a/keystone/files/rocky/keystone.conf.Debian b/keystone/files/rocky/keystone.conf.Debian
index 1c6f51d..0899d7a 100644
--- a/keystone/files/rocky/keystone.conf.Debian
+++ b/keystone/files/rocky/keystone.conf.Debian

@@ -1566,6 +1566,9 @@
 # the built-in expiry time. This allows long running operations to succeed.
 # Defaults to two days. (integer value)
 #allow_expired_window = 172800
+{%- if server.tokens.allow_expired_window is defined %}
+allow_expired_window = {{ server.tokens.allow_expired_window }}
+{%- endif %}
 
 hash_algorithm = {{ server.hash_algorithm }}
 

diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 9d76228..d00b666 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls

@@ -24,6 +24,7 @@
     tokens:
       engine: cache
       expiration: 86400
+      allow_expired_window: 86400
       location: /etc/keystone/fernet-keys/
     notification: false
     notification_format: cadf

diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index 06c1722..052657f 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls

@@ -70,6 +70,7 @@
       engine: fernet
       expiration: 86400
       location: /etc/keystone/fernet-keys/
+      allow_expired_window: 86400
     notification: true
     notification_format: cadf
     logging:
commit	49a50833cc96fb2eb775547af1d39a414fc2756b	[log] [tgz]
author	Oleksandr Bryndzii <obryndzii@mirantis.com>	Tue Feb 26 15:38:54 2019 +0200
committer	Oleksandr Bryndzii <obryndzii@mirantis.com>	Fri Mar 01 18:34:53 2019 +0200
tree	8b0dcaf706f08a9ecbdb524402e3bda0025d8905
parent	72f5708eb98227fff74092c80a1649bda327f31d [diff]