keystone.common.fernet_utils module

class keystone.common.fernet_utils.FernetUtils(key_repository, max_active_keys, config_group)[source]

Bases: object

create_key_directory(keystone_user_id=None, keystone_group_id=None)[source]

Attempt to create the key directory if it doesn’t exist.

initialize_key_repository(keystone_user_id=None, keystone_group_id=None)[source]

Create a key repository and bootstrap it with a key.

Parameters:

  • keystone_user_id – User ID of the Keystone user.

  • keystone_group_id – Group ID of the Keystone user.

load_keys(use_null_key=False)[source]

Load keys from disk into a list.

The first key in the list is the primary key used for encryption. All other keys are active secondary keys that can be used for decrypting tokens.

Parameters:

use_null_key – If true, a known key containing null bytes will be appended to the list of returned keys.

rotate_keys(keystone_user_id=None, keystone_group_id=None)[source]

Create a new primary key and revoke excess active keys.

Parameters:

  • keystone_user_id – User ID of the Keystone user.

  • keystone_group_id – Group ID of the Keystone user.

Key rotation utilizes the following behaviors:

  • The highest key number is used as the primary key (used for encryption).

  • All keys can be used for decryption.

  • New keys are always created as key “0,” which serves as a placeholder before promoting it to be the primary key.

This strategy allows you to safely perform rotation on one node in a cluster, before syncing the results of the rotation to all other nodes (during both key rotation and synchronization, all nodes must recognize all primary keys).

validate_key_repository(requires_write=False)[source]

Validate permissions on the key repository directory.