keystone.common.fernet_utils module¶

class keystone.common.fernet_utils.FernetUtils(key_repository=None, max_active_keys=None, config_group=None)[source]¶

Bases: object

create_key_directory(keystone_user_id=None, keystone_group_id=None)[source]¶

Attempt to create the key directory if it doesn’t exist.

initialize_key_repository(keystone_user_id=None, keystone_group_id=None)[source]¶

Create a key repository and bootstrap it with a key.

Parameters:	keystone_user_id – User ID of the Keystone user. keystone_group_id – Group ID of the Keystone user.

load_keys(use_null_key=False)[source]¶

Load keys from disk into a list.

The first key in the list is the primary key used for encryption. All other keys are active secondary keys that can be used for decrypting tokens.

Parameters:	use_null_key – If true, a known key containing null bytes will be appended to the list of returned keys.

rotate_keys(keystone_user_id=None, keystone_group_id=None)[source]¶

Create a new primary key and revoke excess active keys.

Parameters:	keystone_user_id – User ID of the Keystone user. keystone_group_id – Group ID of the Keystone user.

Key rotation utilizes the following behaviors:

• The highest key number is used as the primary key (used for encryption).
• All keys can be used for decryption.
• New keys are always created as key “0,” which serves as a placeholder before promoting it to be the primary key.

This strategy allows you to safely perform rotation on one node in a cluster, before syncing the results of the rotation to all other nodes (during both key rotation and synchronization, all nodes must recognize all primary keys).

validate_key_repository(requires_write=False)[source]¶

Validate permissions on the key repository directory.