Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-2110

[RFE] extend keystone-manage to support replicated fernet tokens

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • rhos-17.1.4
    • rhos-17.1.0
    • openstack-keystone
    • None
    • [RFE] extend keystone-manage to support replicated fernet tokens
    • 3
    • False
    • False
    • Targeted
    • Committed
    • Committed
    • To Do
    • OSP-4428 - Connect Multiple OSP Clouds
    • Committed
    • Committed
    • 33% To Do, 33% In Progress, 33% Done
    • 3
    • Security

      The ask is to extend keystone-manage to allow generation of users and projects passing fixed UUIDs. With same UUIDs in different keystones, you can replicate (rsync) fernet tokens between sites and use the same tokens in multiple sites.

      Something like this:

       # keystone-manage project_setup -project-name projectA 
      --project-id f9632636-ea8a-4698-a36c-66011541fdf1 
      --metadata ‘{“foo”: “bar”}’
       # keystone-manage user_setup --user-name userA --user-password-plain hoge 
      --user-id 8eab1f40-ae9c-43b7-b921-0422717a8893
      --default-project-name projectA
      --metadata ‘{“foo”: “bar”}’
      • This way there is no API impact, no DB impact and no main code impact.
      • Easy to backport.
      • `keystone-manage bootstrap` uses similar way to generate admin user/project.

            dwilde@redhat.com Dave Wilde
            jjung@redhat.com JP Jung
            rhos-dfg-security
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: