Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / reclass-system / 1558a8ee927fa4f952fa4fd5c4c0e4adbaa6d03e^! / . / defaults / openstack / init.yml
commit1558a8ee927fa4f952fa4fd5c4c0e4adbaa6d03e[log] [tgz]
authorOleksandr Bryndzii <obryndzii@mirantis.com>Wed Feb 27 14:23:23 2019 +0200
committerobryndzii <obryndzii@mirantis.com>Thu Feb 28 12:49:16 2019 +0000
tree002a701bc5d79ddb9e79a37fb8e1c861ad830647
parentb668ebd74c81ed7d3ba67baf133833f6295c3f55 [diff] [blame]
Update keystone default softparams

Moves _param:keystone_tokens_expiration: 3600 definition
into defaults/openstack/init.yml

Add default soft params for the keystone fernet rotation:
keystone_fernet_rotate_rsync_minute = 0
keystone_fernet_rotate_rsync_hour = '*'

Add default soft param for the keystone [token] allow_expired_window:
keystone_tokens_allow_expired_window = ''

Adjuststed the max_active_keys default value according to the following defaults:
``[token] allow_expired_window`` = 172800 (48 hours)
``[token] expiration`` = 3600 (1 hour)
  rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour = 0 *)

max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
keystone_tokens_max_active_keys = 51

Change-Id: I7a2a252afb34de9f3c7c4a1549f67d534959ecf9
Related-Prod: PROD-27591

diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 75bb601..b0a4c7e 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml

@@ -99,6 +99,24 @@
     keystone_old_version: ${_param:openstack_old_version}
     keystone_version: ${_param:openstack_version}
     keystone_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+    # (obryndzii) Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys``
+    # set too low, will cause tokens to become invalid prior to their expiration.
+    # As tokens may be fetched beyond their initial expiration period (nova live migration,
+    # cider volume backup), keys should not be fully rotated within the period of
+    # ``[token] expiration``+``[token] allow_expired_window`` seconds to prevent the tokens
+    # becoming unavailable.
+    # The max_active_keys default value was adjusted according to the following defaults:
+    # [token]/allow_expired_window = 172800 (48 hours)
+    # [token]/expiration = 3600 (1 hour)
+    # rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour 0 *)
+    # max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
+    # In case of changing those defaults the keystone_tokens_max_active_keys value should be
+    # calculated according to the definition above.
+    keystone_tokens_expiration: 3600
+    keystone_tokens_max_active_keys: 51
+    keystone_tokens_allow_expired_window: ''
+    keystone_fernet_rotate_rsync_minute: 0
+    keystone_fernet_rotate_rsync_hour: '*'
     # Manila
     manila_old_version: ${_param:openstack_old_version}
     manila_version: ${_param:openstack_version}