Files
Tim Burke
74030236ad
tempauth: Support fernet tokens
Tempauth fernet tokens use a secret shared among all proxies to encrypt user group information. Because they are encrypted, clients can neither view nor edit this information; it is an opaque bearer token similar to the existing memcached-backed tokens (just much longer). Note that tokens still expire after the configured token_life. Add a new set of config options of the form fernet_key_<keyid> = <32 url-safe base64-encoded bytes> Any of the configured keys will be used to attempt to decrypt tokens starting with "ftk" and extract group information. Another new config option active_fernet_key_id = <keyid> dictates which key should be used when minting tokens. Such tokens will start with "ftk" to distinguish them from memcached-backed tokens (which continue to start with "tk"). If active_fernet_key_id is not configured, memcached-backed tokens continue to be used. Together, these allow seamless transitions from memcached-backed tokens to fernet tokens, as well as transitions from one fernet key to another: 1. Add a new fernet_key_<keyid> entry. 2. Ensure all proxies have the new config with fernet_key_<keyid>. 3. Set active_fernet_key_id = <keyid>. 4. Ensure all proxies have the new config with the new active_fernet_key_id. This is similar to the key-rotation process for the encryption feature, except that old keys may be pruned following a token_life period. Additionally, opportunistically compress groups before minting tokens. Compressed tokens will begin with "zftk" but otherwise behave just like "ftk" tokens. Change-Id: I0bdc98765d05e91f872ef39d4722f91711a5641f