Chapter 1. Deploy Fernet on the Overcloud

This chapter describes how to configure your Overcloud to use the Fernet token provider.

  • Key Management - This example uses keystone-manage to generate the overcloud Fernet keys on the undercloud. These keys will not actually be used by the Undercloud since it is configured to use the UUID token format by default. If you do configure the undercloud to use the Fernet token format after following the procedure in this document, it will use the same keys as the overcloud (which may not be desirable).
  • Swift Artifacts - This implementation uses Heat swift artifacts, which puts a copy of the Fernet key directory on every node in your deployment (not just the Controller node). You will need to consider whether this outcome is acceptable for your deployment requirements.

1.1. Prepare the Fernet Keys

This section generates the Fernet keys on the undercloud, and uploads them into swift.

1. On the undercloud node, use keystone_manage to generate Fernet keys:

$ . ~/stackrc
$ sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

2. Create a tar file containing the Fernet keys:

$ sudo tar -zcf keystone-fernet-keys.tar.gz -P /etc/keystone/fernet-keys
Note

the keys in the controller nodes should not be changed manually. All controller nodes should have the exact same set of Fernet keys, otherwise a token generated by one controller won’t be accepted by the others.

3. Upload the Fernet keys as swift artifacts:

$ upload-swift-artifacts -f keystone-fernet-keys.tar.gz

1.2. Configure the Overcloud to use Fernet

This section creates a YAML file that configures keystone to use fernet as the token provider. This setting is then applied to your existing overcloud in a later step.

1. Create a file named fernet.yaml that contains the required token_provider setting:

parameter_defaults:
  controllerExtraConfig:
    keystone::token_provider: 'fernet'

2. Deploy the overcloud, including the fernet.yaml file that was created in the previous step. For example:

source /home/stack/stackrc
openstack overcloud deploy --templates -e /home/stack/fernet.yaml
Note

If re-deploying the overcloud in the future, you will need to ensure that you still include fernet.yaml, to prevent the token provider from being re-configured to use a different format.

The process may take some time to complete.

1.3. Review the Fernet Deployment

Review the overcloud controller configuration to confirm that the process was successful:

1. Retrieve the IP address of the controller node:

$ openstack server list
+--------------------------------------+-------------------------+--------+---------------------+
| ID                                   | Name                    | Status | Networks            |
+--------------------------------------+-------------------------+--------+---------------------+
| 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0  | ACTIVE | ctlplane=192.0.2.16 |
| 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8  |
+--------------------------------------+-------------------------+--------+---------------------+

2. SSH to the controller:

$ ssh heat-admin@192.0.2.16
Last login: Tue Sep  6 00:09:59 2016 from 192.0.2.1

3. Retrieve the values of the token driver and provider settings:

$ sudo crudini --get /etc/keystone/keystone.conf token driver
sql
$ sudo crudini --get /etc/keystone/keystone.conf token provider
fernet

4. Test the Fernet provider:

$ openstack token issue
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-09-20 05:26:17+00:00 |
| id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 |
| project_id | 26156621d0d54fc39bf3adb98e63b63d |
| user_id | 397daf32cadd490a8f3ac23a626ac06c |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

The result should include the long Fernet token. This token will still be shorter in length than the PKI token.

Note

The keys used to sign tokens are now available in the undercloud’s swift. The keys should remain in swift in case you need to deploy a new controller, however, you can delete them using the swift command, if needed:

swift delete overcloud-artifacts keystone-fernet-keys.tar.gz