Red Hat Training
A Red Hat training course is available for Red Hat OpenStack Platform
Chapter 1. Deploy Fernet on the Overcloud
This chapter describes how to configure your Overcloud to use the Fernet token provider.
- Key Management - This example uses keystone-manage to generate the overcloud Fernet keys on the undercloud. These keys will not actually be used by the Undercloud since it is configured to use the UUID token format by default. If you do configure the undercloud to use the Fernet token format after following the procedure in this document, it will use the same keys as the overcloud (which may not be desirable).
- Swift Artifacts - This implementation uses Heat swift artifacts, which puts a copy of the Fernet key directory on every node in your deployment (not just the Controller node). You will need to consider whether this outcome is acceptable for your deployment requirements.
1.1. Prepare the Fernet Keys
This section generates the Fernet keys on the undercloud, and uploads them into swift.
1. On the undercloud node, use keystone_manage
to generate Fernet keys:
$ . ~/stackrc $ sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
2. Create a tar file containing the Fernet keys:
$ sudo tar -zcf keystone-fernet-keys.tar.gz -P /etc/keystone/fernet-keys
the keys in the controller nodes should not be changed manually. All controller nodes should have the exact same set of Fernet keys, otherwise a token generated by one controller won’t be accepted by the others.
3. Upload the Fernet keys as swift artifacts:
$ upload-swift-artifacts -f keystone-fernet-keys.tar.gz
1.2. Configure the Overcloud to use Fernet
This section creates a YAML file that configures keystone to use fernet
as the token provider. This setting is then applied to your existing overcloud in a later step.
1. Create a file named fernet.yaml
that contains the required token_provider
setting:
parameter_defaults: controllerExtraConfig: keystone::token_provider: 'fernet'
2. Deploy the overcloud, including the fernet.yaml file that was created in the previous step. For example:
source /home/stack/stackrc openstack overcloud deploy --templates -e /home/stack/fernet.yaml
If re-deploying the overcloud in the future, you will need to ensure that you still include fernet.yaml, to prevent the token provider from being re-configured to use a different format.
The process may take some time to complete.
1.3. Review the Fernet Deployment
Review the overcloud controller configuration to confirm that the process was successful:
1. Retrieve the IP address of the controller node:
$ openstack server list +--------------------------------------+-------------------------+--------+---------------------+ | ID | Name | Status | Networks | +--------------------------------------+-------------------------+--------+---------------------+ | 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0 | ACTIVE | ctlplane=192.0.2.16 | | 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8 | +--------------------------------------+-------------------------+--------+---------------------+
2. SSH to the controller:
$ ssh heat-admin@192.0.2.16 Last login: Tue Sep 6 00:09:59 2016 from 192.0.2.1
3. Retrieve the values of the token driver and provider settings:
$ sudo crudini --get /etc/keystone/keystone.conf token driver sql $ sudo crudini --get /etc/keystone/keystone.conf token provider fernet
4. Test the Fernet provider:
$ openstack token issue WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2016-09-20 05:26:17+00:00 | | id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 | | project_id | 26156621d0d54fc39bf3adb98e63b63d | | user_id | 397daf32cadd490a8f3ac23a626ac06c | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
The result should include the long Fernet token. This token will still be shorter in length than the PKI token.
The keys used to sign tokens are now available in the undercloud’s swift. The keys should remain in swift in case you need to deploy a new controller, however, you can delete them using the swift
command, if needed:
swift delete overcloud-artifacts keystone-fernet-keys.tar.gz