)]}'
{"ansible/group_vars/all.yml":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"c4b31dce1f1110391a45088525edaeb429b78940","unresolved":false,"context_lines":[{"line_number":744,"context_line":"# Keystone fernet token expiry in seconds. Default is 1 day."},{"line_number":745,"context_line":"fernet_token_expiry: 86400"},{"line_number":746,"context_line":"# Keystone window to allow expired fernet tokens. Default is 2 days."},{"line_number":747,"context_line":"fernet_allow_expired_window: 172800"},{"line_number":748,"context_line":"# Keystone fernet key rotation interval in seconds. Default is sum of token"},{"line_number":749,"context_line":"# expiry and allow expired window, 3 days. This ensures the minimum number"},{"line_number":750,"context_line":"# of keys are active. If this interval is lower than the sum of the token"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"dfbec78f_d8ca469f","line":747,"range":{"start_line":747,"start_character":0,"end_line":747,"end_character":27},"updated":"2019-05-16 09:28:01.000000000","message":"Maybe we should call this \"fernet_token_allow_expired_window\"? just so its clear its not the fernet key.","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ede4b870ab76471e84f4178f709824a967e6de6c","unresolved":false,"context_lines":[{"line_number":744,"context_line":"# Keystone fernet token expiry in seconds. Default is 1 day."},{"line_number":745,"context_line":"fernet_token_expiry: 86400"},{"line_number":746,"context_line":"# Keystone window to allow expired fernet tokens. Default is 2 days."},{"line_number":747,"context_line":"fernet_allow_expired_window: 172800"},{"line_number":748,"context_line":"# Keystone fernet key rotation interval in seconds. Default is sum of token"},{"line_number":749,"context_line":"# expiry and allow expired window, 3 days. This ensures the minimum number"},{"line_number":750,"context_line":"# of keys are active. If this interval is lower than the sum of the token"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"dfbec78f_4ed9ac1f","line":747,"range":{"start_line":747,"start_character":0,"end_line":747,"end_character":27},"in_reply_to":"dfbec78f_d8ca469f","updated":"2019-05-16 11:18:03.000000000","message":"Done","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"}],"ansible/roles/keystone/files/fernet_rotate_cron_generator.py":[{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"cd5082672922c4b8576437eb08c000297a08d5e4","unresolved":false,"context_lines":[{"line_number":60,"context_line":"    # Can\u0027t currently rotate less than once per week."},{"line_number":61,"context_line":"    if total_rotation_mins \u003e WEEK_SPAN:"},{"line_number":62,"context_line":"        msg \u003d (\"Unable to schedule fernet key rotation with an interval \""},{"line_number":63,"context_line":"               \"greater than 1 week divided by the number of hosts\")"},{"line_number":64,"context_line":"        raise RotationIntervalTooLong(msg)"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"    # Build crons multiple of a day"}],"source_content_type":"text/x-python","patch_set":7,"id":"9fb8cfa7_be5fdf3f","line":63,"range":{"start_line":63,"start_character":23,"end_line":63,"end_character":67},"updated":"2019-06-05 10:44:30.000000000","message":"nit: might be nice to just work out the interval given everything is available.","commit_id":"6c1442c385450004dd253f3f464fe4336194be99"}],"ansible/roles/keystone/templates/keystone.conf.j2":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"c4b31dce1f1110391a45088525edaeb429b78940","unresolved":false,"context_lines":[{"line_number":44,"context_line":"max_active_keys \u003d {{ (fernet_token_expiry | int +"},{"line_number":45,"context_line":"                      fernet_allow_expired_window | int +"},{"line_number":46,"context_line":"                      fernet_key_rotation_interval | int - 1) //"},{"line_number":47,"context_line":"                     fernet_key_rotation_interval | int + 2 }}"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"[cache]"},{"line_number":50,"context_line":"backend \u003d oslo_cache.memcache_pool"}],"source_content_type":"text/x-jinja2","patch_set":3,"id":"dfbec78f_380b62d6","line":47,"range":{"start_line":47,"start_character":55,"end_line":47,"end_character":57},"updated":"2019-05-16 09:28:01.000000000","message":"Nit: I would be tempted by more brackets here, but meh, its personal preference.","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ede4b870ab76471e84f4178f709824a967e6de6c","unresolved":false,"context_lines":[{"line_number":44,"context_line":"max_active_keys \u003d {{ (fernet_token_expiry | int +"},{"line_number":45,"context_line":"                      fernet_allow_expired_window | int +"},{"line_number":46,"context_line":"                      fernet_key_rotation_interval | int - 1) //"},{"line_number":47,"context_line":"                     fernet_key_rotation_interval | int + 2 }}"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"[cache]"},{"line_number":50,"context_line":"backend \u003d oslo_cache.memcache_pool"}],"source_content_type":"text/x-jinja2","patch_set":3,"id":"dfbec78f_ee01806b","line":47,"range":{"start_line":47,"start_character":55,"end_line":47,"end_character":57},"in_reply_to":"dfbec78f_380b62d6","updated":"2019-05-16 11:18:03.000000000","message":"Done","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"}],"doc/source/reference/shared-services/keystone-guide.rst":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"c4b31dce1f1110391a45088525edaeb429b78940","unresolved":false,"context_lines":[{"line_number":14,"context_line":"~~~~~~~~~~~~~"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Fernet tokens require the use of keys that must be synchronised between"},{"line_number":17,"context_line":"Keystone servers. Kolla Ansible deploys two containers to handle this -"},{"line_number":18,"context_line":"``keystone_ssh`` is an SSH server, and ``keystone_fernet`` runs cron jobs"},{"line_number":19,"context_line":"to rotate keys when necessary. In a multi-host control plane, these rotations"},{"line_number":20,"context_line":"are performed by the hosts in a round-robin manner."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"The following variables may be used to configure the token expiry and key"},{"line_number":23,"context_line":"rotation."}],"source_content_type":"text/x-rst","patch_set":3,"id":"dfbec78f_f8294a36","line":20,"range":{"start_line":17,"start_character":0,"end_line":20,"end_character":51},"updated":"2019-05-16 09:28:01.000000000","message":"Nit: Maybe reverse the order, so you can say the cron job running in keystone_fernet distributes keys via rsync into the keystone_ssh container on each controller?","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ede4b870ab76471e84f4178f709824a967e6de6c","unresolved":false,"context_lines":[{"line_number":14,"context_line":"~~~~~~~~~~~~~"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Fernet tokens require the use of keys that must be synchronised between"},{"line_number":17,"context_line":"Keystone servers. Kolla Ansible deploys two containers to handle this -"},{"line_number":18,"context_line":"``keystone_ssh`` is an SSH server, and ``keystone_fernet`` runs cron jobs"},{"line_number":19,"context_line":"to rotate keys when necessary. In a multi-host control plane, these rotations"},{"line_number":20,"context_line":"are performed by the hosts in a round-robin manner."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"The following variables may be used to configure the token expiry and key"},{"line_number":23,"context_line":"rotation."}],"source_content_type":"text/x-rst","patch_set":3,"id":"dfbec78f_6e8cb0d6","line":20,"range":{"start_line":17,"start_character":0,"end_line":20,"end_character":51},"in_reply_to":"dfbec78f_f8294a36","updated":"2019-05-16 11:18:03.000000000","message":"Done","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"c4b31dce1f1110391a45088525edaeb429b78940","unresolved":false,"context_lines":[{"line_number":23,"context_line":"rotation."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"``fernet_token_expiry``"},{"line_number":26,"context_line":"    Keystone fernet token expiry in seconds. Default is 86400, or 1 day."},{"line_number":27,"context_line":"``fernet_allow_expired_window``"},{"line_number":28,"context_line":"    Keystone window to allow expired fernet tokens. Default is 172800, or 2"},{"line_number":29,"context_line":"    days."}],"source_content_type":"text/x-rst","patch_set":3,"id":"dfbec78f_b8e4320e","line":26,"range":{"start_line":26,"start_character":63,"end_line":26,"end_character":65},"updated":"2019-05-16 09:28:01.000000000","message":"Nit: maybe \"that is\"? to help translation really.","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ede4b870ab76471e84f4178f709824a967e6de6c","unresolved":false,"context_lines":[{"line_number":23,"context_line":"rotation."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"``fernet_token_expiry``"},{"line_number":26,"context_line":"    Keystone fernet token expiry in seconds. Default is 86400, or 1 day."},{"line_number":27,"context_line":"``fernet_allow_expired_window``"},{"line_number":28,"context_line":"    Keystone window to allow expired fernet tokens. Default is 172800, or 2"},{"line_number":29,"context_line":"    days."}],"source_content_type":"text/x-rst","patch_set":3,"id":"dfbec78f_4e91acf0","line":26,"range":{"start_line":26,"start_character":63,"end_line":26,"end_character":65},"in_reply_to":"dfbec78f_b8e4320e","updated":"2019-05-16 11:18:03.000000000","message":"Done","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"c4b31dce1f1110391a45088525edaeb429b78940","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"dfbec78f_b87bd225","line":35,"updated":"2019-05-16 09:28:01.000000000","message":"I think we should cover the over rotation risk, and link to the keystone docs for more information.\n\nMaybe as an example, if you wanted to rotate keys more frequently, you can choose a token_expiry of 1 hour and an allowe_expired_window of 11 hours, thus you get key rotation every half day, spread between the three controllers? Would that work?","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ede4b870ab76471e84f4178f709824a967e6de6c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"dfbec78f_8e8b24c1","line":35,"in_reply_to":"dfbec78f_b87bd225","updated":"2019-05-16 11:18:03.000000000","message":"I think there should no longer be a risk of over-rotation - we calculate the number of active keys necessary to make it work in keystone.conf. Maybe I\u0027m missing something?","commit_id":"c09c442a20aec3c121d5d203e4e11017c33d86c3"}]}