keystone.common.fernet_utils module

keystone.common.fernet_utils module

class keystone.common.fernet_utils.FernetUtils(key_repository, max_active_keys, config_group)[source]

Bases: object

create_key_directory(keystone_user_id=None, keystone_group_id=None)[source]

Attempt to create the key directory if it doesn’t exist.

initialize_key_repository(keystone_user_id=None, keystone_group_id=None)[source]

Create a key repository and bootstrap it with a key.

Parameters:
  • keystone_user_id – User ID of the Keystone user.

  • keystone_group_id – Group ID of the Keystone user.

load_keys(use_null_key=False)[source]

Load keys from disk into a list.

The first key in the list is the primary key used for encryption. All other keys are active secondary keys that can be used for decrypting tokens.

Parameters:

use_null_key – If true, a known key containing null bytes will be appended to the list of returned keys.

rotate_keys(keystone_user_id=None, keystone_group_id=None)[source]

Create a new primary key and revoke excess active keys.

Parameters:
  • keystone_user_id – User ID of the Keystone user.

  • keystone_group_id – Group ID of the Keystone user.

Key rotation utilizes the following behaviors:

  • The highest key number is used as the primary key (used for encryption).

  • All keys can be used for decryption.

  • New keys are always created as key “0,” which serves as a placeholder before promoting it to be the primary key.

This strategy allows you to safely perform rotation on one node in a cluster, before syncing the results of the rotation to all other nodes (during both key rotation and synchronization, all nodes must recognize all primary keys).

validate_key_repository(requires_write=False)[source]

Validate permissions on the key repository directory.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.