Unhardcode allow_expired_window directive
Sets up allow_expired_window from pillar if defined
Change-Id: If83bedf3ad7dd8a57ce6aa05369bdf0e53188e85
Related-Prod: PROD-27591
diff --git a/README.rst b/README.rst
index 5a0fedf..53d0198 100644
--- a/README.rst
+++ b/README.rst
@@ -869,6 +869,32 @@
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
+Enhanced max_active_keys setup
+------------------------------
+
+Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys`` set too low,
+will cause tokens to become invalid prior to their expiration. As tokens may be fetched
+beyond their initial expiration period, keys should not be fully rotated within the
+period of ``[token] expiration`` + ``[token] allow_expired_window`` seconds to prevent the
+tokens becoming unavailable. As an example, the max_active_keys default value can be
+adjusted according to the following specified values:
+``[token] allow_expired_window`` = 86400 (24 hours)
+``[token] expiration`` = 3600 (1 hour)
+rotation_frequency = 1 (1 hour)
+``[fernet_token]max_active_keys`` = (24 + 1)/1 + 2 = 27
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ ...
+ tokens:
+ engine: fernet
+ expiration: 3600
+ allow_expired_window: 86400
+ max_active_keys: 27
+ ...
+
Upgrades
========