feat(fernet): Unify credential/token key repositories#915
Merged
Conversation
Adds openstack-keystone-key-repository: a backend-agnostic KeySource trait (FilesystemKeySource today, Vault-ready) plus KeyRepository/CachedKeyRepository, implementing the key parsing, key_hash, Null Key detection, and staged-rotation logic that previously existed twice (once in credential-driver-sql, once, partially, in token-driver-fernet). - credential-driver-sql's FernetKeyRepository becomes a thin async adapter over the shared crate; behavior-neutral (same MAX_ACTIVE_KEYS=3 hard cap). - token-driver-fernet gains full parity with the credential key repository: Null Key detection (new [fernet_tokens] insecure_allow_null_key config, default false), real key rotation (max_active_keys was previously unused), and an auto-refreshing cached key snapshot (CachedKeyRepository) replacing the old load-once-never-reload / reload-from-disk-every-call split — this removes the long-standing "TODO: implement fernet keys change watching" and makes token key rotation take effect without a service restart. - The filesystem key source watches for changes via inotify with a polling fallback (same debounce pattern as ConfigManager's existing config-file watcher), so the same watch/reload contract will hold for a future Vault-backed KeySource without changing KeyRepository/CachedKeyRepository. - keystone-manage gains `token setup`/`token rotate` (mirroring the existing `credential setup`/`migrate`/`rotate`; no `migrate` for tokens since they are never re-encrypted, just expire). - keystone's startup Null Key check now runs for both key repositories. Assisted-By: Claude Sonnet 5 <noreply@anthropic.com> Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
|
🦢 Load Test Results Goose Attack ReportPlan Overview
Request Metrics
Response Time Metrics
Status Code Metrics
Transaction Metrics
Scenario Metrics
|
|
| Branch | claude/adr-0019-keystone-compat-nfzp1z |
| Testbed | ubuntu-latest |
Click to view all benchmark results
| Benchmark | Latency | Benchmark Result nanoseconds (ns) (Result Δ%) | Upper Boundary nanoseconds (ns) (Limit %) |
|---|---|---|---|
| Command_Serde/apply/remove | 📈 view plot 🚷 view threshold | 84,139.00 ns(-72.13%)Baseline: 301,889.16 ns | 1,713,921.13 ns (4.91%) |
| Command_Serde/apply/set | 📈 view plot 🚷 view threshold | 91,088.00 ns(-64.16%)Baseline: 254,174.86 ns | 1,029,665.77 ns (8.85%) |
| Command_Serde/pack/delete | 📈 view plot 🚷 view threshold | 126.15 ns(+3.67%)Baseline: 121.68 ns | 146.41 ns (86.16%) |
| Command_Serde/pack/delete_index | 📈 view plot 🚷 view threshold | 114.90 ns(+4.40%)Baseline: 110.06 ns | 131.64 ns (87.28%) |
| Command_Serde/pack/set | 📈 view plot 🚷 view threshold | 200.14 ns(+2.40%)Baseline: 195.45 ns | 239.26 ns (83.65%) |
| Command_Serde/pack/set_index | 📈 view plot 🚷 view threshold | 114.77 ns(+4.35%)Baseline: 109.98 ns | 131.28 ns (87.42%) |
| Command_Serde/unpack/delete | 📈 view plot 🚷 view threshold | 222.05 ns(+15.39%)Baseline: 192.44 ns | 234.58 ns (94.66%) |
| Command_Serde/unpack/delete_index | 📈 view plot 🚷 view threshold | 183.52 ns(+14.89%)Baseline: 159.74 ns | 197.90 ns (92.73%) |
| Command_Serde/unpack/set | 📈 view plot 🚷 view threshold | 275.18 ns(+2.43%)Baseline: 268.65 ns | 334.07 ns (82.37%) |
| Command_Serde/unpack/set_index | 📈 view plot 🚷 view threshold | 185.10 ns(+16.31%)Baseline: 159.15 ns | 196.27 ns (94.31%) |
| Payload_encryption/pack/remove_cmd | 📈 view plot 🚷 view threshold | 123.78 ns(+6.64%)Baseline: 116.07 ns | 141.45 ns (87.51%) |
| Payload_encryption/pack/set_cmd | 📈 view plot 🚷 view threshold | 194.75 ns(-4.16%)Baseline: 203.20 ns | 267.90 ns (72.69%) |
| Payload_encryption/unpack/remove_cmd | 📈 view plot 🚷 view threshold | 215.05 ns(+4.94%)Baseline: 204.92 ns | 253.57 ns (84.81%) |
| Payload_encryption/unpack/set_cmd | 📈 view plot 🚷 view threshold | 277.85 ns(-1.32%)Baseline: 281.58 ns | 352.87 ns (78.74%) |
| Raft_1Node_Latency/prefix/1node | 📈 view plot 🚷 view threshold | 4,433,800.00 ns(+63.66%)Baseline: 2,709,221.72 ns | 6,199,965.74 ns (71.51%) |
| Raft_1Node_Latency/read/1node | 📈 view plot 🚷 view threshold | 34,796.00 ns(+70.39%)Baseline: 20,421.42 ns | 69,089.27 ns (50.36%) |
| Raft_1Node_Latency/remove/1node | 📈 view plot 🚷 view threshold | 252,410.00 ns(-56.18%)Baseline: 576,029.84 ns | 2,322,079.28 ns (10.87%) |
| Raft_1Node_Latency/write/1node | 📈 view plot 🚷 view threshold | 272,340.00 ns(-54.44%)Baseline: 597,758.91 ns | 2,150,928.42 ns (12.66%) |
| build_snapshot/default | 📈 view plot 🚷 view threshold | 108,200.00 ns(-2.53%)Baseline: 111,008.59 ns | 162,450.62 ns (66.60%) |
| fernet token/project | 📈 view plot 🚷 view threshold | 1,494.70 ns(+8.19%)Baseline: 1,381.51 ns | 1,637.72 ns (91.27%) |
| get_data_keyspace | 📈 view plot 🚷 view threshold | 0.36 ns(+14.05%)Baseline: 0.31 ns | 0.36 ns (98.08%) |
| get_db | 📈 view plot 🚷 view threshold | 0.35 ns(+12.51%)Baseline: 0.31 ns | 0.36 ns (96.86%) |
| get_fernet_token_timestamp/project | 📈 view plot 🚷 view threshold | 145.78 ns(+1.52%)Baseline: 143.59 ns | 181.20 ns (80.45%) |
| get_keyspace | 📈 view plot 🚷 view threshold | 4.58 ns(-5.23%)Baseline: 4.83 ns | 9.76 ns (46.92%) |
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds openstack-keystone-key-repository: a backend-agnostic KeySource
trait (FilesystemKeySource today, Vault-ready) plus
KeyRepository/CachedKeyRepository, implementing the key parsing,
key_hash, Null Key detection, and staged-rotation logic that previously
existed twice (once in credential-driver-sql, once, partially, in
token-driver-fernet).
adapter over the shared crate; behavior-neutral (same
MAX_ACTIVE_KEYS=3 hard cap).
repository: Null Key detection (new [fernet_tokens]
insecure_allow_null_key config, default false), real key rotation
(max_active_keys was previously unused), and an auto-refreshing cached
key snapshot (CachedKeyRepository) replacing the old
load-once-never-reload / reload-from-disk-every-call split — this
removes the long-standing "TODO: implement fernet keys change watching"
and makes token key rotation take effect without a service restart.
polling fallback (same debounce pattern as ConfigManager's existing
config-file watcher), so the same watch/reload contract will hold for a
future Vault-backed KeySource without changing
KeyRepository/CachedKeyRepository.
token setup/token rotate(mirroring theexisting
credential setup/migrate/rotate; nomigratefortokens since they are never re-encrypted, just expire).
Assisted-By: Claude Sonnet 5 noreply@anthropic.com
Signed-off-by: Artem Goncharov artem.goncharov@gmail.com