keystone-manage token-flush
(reduced scope of this BP to exclude issues related to archiving)
Bug 1032633 describes how keystone's token table grows unconditionally as new tokens are issued as not disposed of after expiration. We've left this issue to deployers to resolve, as keystone should not automatically delete tokens that provide traceability for security issues, etc.
However, we should provide a tool to make it easier to manage those tokens via keystone-manage.
I'd propose the following command:
$ keystone-manage token-flush
Flushing tokens simply deletes expired tokens, eliminating any means of traceability.
This would require a new driver method that could be overridden with an alternative implementation, but it should look something like:
delete_
This method should not be exposed to the HTTP API (at least not as part of this BP) -- that should require additional discussion.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Low
- Drafter:
- Dolph Mathews
- Direction:
- Approved
- Assignee:
- Jamie Lennox
- Definition:
- Discussion
- Series goal:
- Accepted for havana
- Implementation:
- Implemented
- Milestone target:
- 2013.2
- Started by
- Dolph Mathews
- Completed by
- Dolph Mathews
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Implement Token Flush via keystone-manage.
Take a look at the spec-url