Unhardcode allow_expired_window directive
Sets up allow_expired_window from pillar if defined
Change-Id: If83bedf3ad7dd8a57ce6aa05369bdf0e53188e85
Related-Prod: PROD-27760
(cherry picked from commit 49a50833cc96fb2eb775547af1d39a414fc2756b)
diff --git a/README.rst b/README.rst
index c5a2ad0..e794719 100644
--- a/README.rst
+++ b/README.rst
@@ -769,6 +769,32 @@
ossyslog:
enabled: true
+Enhanced max_active_keys setup
+------------------------------
+
+Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys`` set too low,
+will cause tokens to become invalid prior to their expiration. As tokens may be fetched
+beyond their initial expiration period, keys should not be fully rotated within the
+period of ``[token] expiration`` + ``[token] allow_expired_window`` seconds to prevent the
+tokens becoming unavailable. As an example, the max_active_keys default value can be
+adjusted according to the following specified values:
+``[token] allow_expired_window`` = 86400 (24 hours)
+``[token] expiration`` = 3600 (1 hour)
+rotation_frequency = 1 (1 hour)
+``[fernet_token]max_active_keys`` = (24 + 1)/1 + 2 = 27
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ ...
+ tokens:
+ engine: fernet
+ expiration: 3600
+ allow_expired_window: 86400
+ max_active_keys: 27
+ ...
+
Usage
=====
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 2abacd6..017f1c2 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -3057,6 +3057,9 @@
# the built-in expiry time. This allows long running operations to succeed.
# Defaults to two days. (integer value)
#allow_expired_window = 172800
+{%- if server.tokens.allow_expired_window is defined %}
+allow_expired_window = {{ server.tokens.allow_expired_window }}
+{%- endif %}
hash_algorithm = {{ server.hash_algorithm }}
diff --git a/keystone/files/pike/keystone.conf.Debian b/keystone/files/pike/keystone.conf.Debian
index c0447e4..c3c0db1 100644
--- a/keystone/files/pike/keystone.conf.Debian
+++ b/keystone/files/pike/keystone.conf.Debian
@@ -3061,6 +3061,9 @@
# the built-in expiry time. This allows long running operations to succeed.
# Defaults to two days. (integer value)
#allow_expired_window = 172800
+{%- if server.tokens.allow_expired_window is defined %}
+allow_expired_window = {{ server.tokens.allow_expired_window }}
+{%- endif %}
hash_algorithm = {{ server.hash_algorithm }}
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 1290fc0..30d4694 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -24,6 +24,7 @@
tokens:
engine: cache
expiration: 86400
+ allow_expired_window: 86400
location: /etc/keystone/fernet-keys/
notification: false
notification_format: cadf
diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index d52812d..b425091 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -26,6 +26,7 @@
engine: cache
expiration: 86400
location: /etc/keystone/fernet-keys/
+ allow_expired_window: 86400
notification: false
notification_format: cadf
logging: