第1章 Using Fernet keys for encryption in the overcloud

Fernet is the default token provider, that replaces uuid. You can review your Fernet deployment and rotate the Fernet keys.

1.1. Reviewing the Fernet deployment

Review your configuration to confirm that Fernet tokens are working correctly.

Procedure

  1. Retrieve the IP address of the controller node: 

    [stack@director ~]$ source ~/stackrc
[stack@director ~]$ openstack server list
--------------------------------------------------------------------------------------------+
| ID                                   | Name                    | Status | Networks            |
--------------------------------------------------------------------------------------------+
| 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0  | ACTIVE | ctlplane=192.0.2.16 |
| 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8  |
--------------------------------------------------------------------------------------------+

  2. SSH into the Controller node: 

    [heat-admin@overcloud-controller-0 ~]$ ssh heat-admin@192.0.2.16

  3. Retrieve the values of the token driver and provider settings: 

    [heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token driver
sql
[heat-admin@overcloud-controller-0 ~]$ sudo crudini --get /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf token provider
fernet

  4. Test the Fernet provider: 

    [heat-admin@overcloud-controller-0 ~]$ exit
[stack@director ~]$ source ~/overcloudrc
[stack@director ~]$ openstack token issue
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-09-20 05:26:17+00:00 |
| id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 |
| project_id | 26156621d0d54fc39bf3adb98e63b63d |
| user_id | 397daf32cadd490a8f3ac23a626ac06c |
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

    The result includes the long Fernet token.