Enabling Keystone’s Fernet Tokens in Red Hat OpenStack Platform 10

Enabling Keystone’s Fernet Tokens in Red Hat OpenStack Platform 10

As of OpenStack Kilo, a new token provider is now available as an alternative to pki and uuid. Ferent tokens, pronounced fehr:NET, are essentially an implementation of ephemeral tokens in Keystone. What this means, from an implementation standpoint, is that tokens are no longer persisted and hence do not need to be replicated across clusters or regions.
From http://dolphm.com/openstack-keystone-fernet-tokens/:
“In short, OpenStack’s authentication and authorization metadata is neatly bundled into a MessagePacked payload, which is then encrypted and signed as a Fernet token. OpenStack Kilo’s implementation supports a three-phase key rotation model that requires zero downtime in a clustered environment.”

This document aims to provide a simple method for enabling fernet tokens in Keystone, on OSP 10, both pre and post deployment of the overcloud stack.

Pre-Overcloud Deployment

While documentation exists here:


Following this documentation will cause your OpenStack cloud deployment to fail — as of 2017-03-02. A bugzilla is filed here:  https://bugzilla.redhat.com/show_bug.cgi?id=1428165

Prepare Fernet keys on the undercloud

This deployment will start with preparation of the Fernet keys, which your deployment will place on each controller in /etc/keystone/fernet-keys. Each controller must have the same keys, as tokens issued on one controller must be able to be validated on all controllers.

1. Source the stackrc so that we know we’re working in the undercloud:

$ source ~/stackrc‍‍‍‍‍‍‍‍‍‍‍

2. On the undercloud, use keystone_manage to generate the Fernet keys as deployment artifacts:

$ sudo keystone-manage fernet_setup \
  --keystone-user keystone \
  --keystone-group keystone‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

3. Tar up the keys for upload into a swift container on the undercloud:

$ sudo tar -zcf keystone-fernet-keys.tar.gz /etc/keystone/fernet-keys‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

4. Upload the Fernet keys to the undercloud as swift artifacts (we assume your templates exist in ~/templates):

$ upload-swift-artifacts -f keystone-fernet-keys.tar.gz \
  --environment ~/templates/deployment-artifacts.yaml‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

5. Verify that your artifact exists in the undercloud:

$ swift list overcloud-artifacts

6. Lets verify that deployment-artifacts.yaml exists in ~/templates (NOTE: your details will differ):

$ cat ~/templates/deployment-artifacts.yaml
# Heat environment to deploy artifacts via Swift Temp URL(s)
    - '

NOTE: This is the swift url that your overcloud deploy will use to copy the fernet keys to your controllers.

7. Finally, generate the fernet.yaml template to enable the ferent provider as default in your overcloud:

$ cat << EOF > ~/templates/fernet.yaml
            keystone::token_provider: 'fernet'‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Deploy and Validate

At this point, you should be ready to deploy your overcloud with fernet enabled as the token provider, and your keys distributed to each controller in /etc/keystone/fernet-keys.

NOTE: Be sure to include the ferent.yaml and deployment-artifacts with your normal deploy command, along with any other templates you would normally use.

Test your Fernet keys

Let’s validate that your overcloud is indeed using Fernet tokens, instead of the default UUID token provider.

$ source ~/overcloudrc
$ openstack token issue
| Field | Value |
| expires | 2017-03-22 19:16:21+00:00                   |
| id | gAAAAABY0r91iYvMFQtGiRRqgMvetAF5spEZPTvEzCpFWr3  |
| | 1IB8T8L1MRgf4NlOB6JsfFhhdxenSFob_0vEEHLTT6rs3Rw     |
| | q3-Zm8stCF7sTIlmBVms9CUlwANZOQ4lRMSQ6nTfEPM57kX     |
| | Xw8GBGouWDz8hqDYAeYQCIHtHDWH5BbVs_yC8ICXBk          |
| project_id | f8adc9dea5884d23a30ccbd486fcf4c6         |
| user_id | 2f6106cef80741c6ae2bfb3f25d70eee            |

‍‍‍‍‍‍‍‍‍‍‍‍‍  Note the length of this token in the “id” field. This is a fernet token.

Post Overcloud Deployment

If you’ve already deployed your overcloud with UUID tokens, you can change them to Fernet by simply following the previous example and running the openstack deploy command again — with the enabled heat templates mentioned.

Be sure to deploy with your original deploy command, as any changes there could affect your overcloud.

Leave a Reply

%d bloggers like this: