Fernet tokens and key distribution (part 2)
Based on yet another previous post, this post outlines more of the workflow required to get 0 wait time for validating tokens between Keystone servers.
We can use the following ansible inventory to help us:
Which assumes that we’re going to be using keystone-deploy‘s Fernet Token branch and also that the first Keystone server will be hosting the Keystone database.
I had to do some tweaking after running ansible initially to make sure all Keystone nodes could connect to the database on the first Keystone server (TODO: push fix to keystone-deploy so that database connections aren’t assumed to be made against localhost!). Which pretty much consisted of ensuring the keystone database user had permissions from the other application server IP addresses and removing the bind address from the MySQL configuration.
At this point we should have three Keystone servers up and running, pointing to the same database. Let’s go ahead and populate Keystone with some initial data. We can use some existing tools from previous Keystone performance work:
We should get back a few tokens, and all Keystone servers should be able to see the same data. However, if we attempt to validate one of the tokens we received against a different Keystone endpoint, it will fail. This is because we haven’t distributed the same key repository to each Keystone node yet. To do that we can use revolver. Note that revolver is really simple and designed to be run from one Keystone server. The inventory file should consist of the other Keystone servers in the deployment, along with whatever connection information is needed for ansible (i.e. ansible_ssh_user=root, ansible_ssh_pass=password etc, ):
After distributing the Keystone fernet-keys, we should be able to verify that each Keystone server has the same key repository:
Now we should have everything we need to validate a token generated from one Keystone server against another in the same deployment with 0 latency.
For each endpoint above, we should get the following response for an unscoped token: