On Tue, Mar 7, 2017 at 2:09 AM, Matt Fischer <m...@mattfischer.com> wrote:
> I don't think it would cause an issue if every controller rotated all at > once. The issues are more along the lines of rotating to key C when there > are tokens out there that are encrypted with keys A and B. In other words > over-rotation. As long as your keys are properly staged, do the rotation > all at once or space them out, should not make any difference. > The issue is "at once". It takes some time to rotate and distribute the keys. There is one case that. controller A and controller B generate a new different keys. Then they copy the key to other by using rsync. A: 0 1 2 3 B: 0' 1' 2 3 When distributing, the 0/0' and 1/1' may be overrode(rsync hold the delete file handler and copy it to other one). it will lead to A: 0' 1' 2 3 B: 0 1 2 3 next rotation, it may become A: 0' 1' 2' 3 B: 0 1 2 3 after distribute , it become A: 0 1 2 3 B: 0' 1' 2' 3 Next rotation and distribute, issue happen. This is a small probability, but it still possible. -- Regards, Jeffrey Zhang Blog: http://xcodest.me
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
