fenet keys and docker image/container

telefonicaid / fiware-keystone-spassword

Keystone SPASSWORD is an OpenStack Keystone extension that enables some extra security checks over user passwords, as force the usage of strong passwords, expiration time for a password, number of bad login attempts before user account became temporarily blocked, a recover procedure password, second factor authentication (2FA), etc.

Apache License 2.0

3 stars 1 forks source link

fenet keys and docker image/container #163

Open AlvaroVega opened 4 years ago

AlvaroVega commented 4 years ago

It seems fernet keys are fixed at image creation.

Once a day docker container is rotating fernet keys.

Some problems in HA balanced scenarios could happend if nodes does not share fernet keys or uses sticky sessions.

https://docs.openstack.org/keystone/pike/admin/identity-fernet-token-faq.html

How enable sticky sessions: https://thisinterestsme.com/haproxy-sticky-sessions/ A workaround could be not rotate fernet keys by default.

AlvaroVega commented 3 years ago

Doc about this issue was added in https://github.com/telefonicaid/fiware-keystone-spassword#fernet-keys-and-ha