keystone-manage token-flush

Registered by Dolph Mathews

(reduced scope of this BP to exclude issues related to archiving)

Bug 1032633 describes how keystone's token table grows unconditionally as new tokens are issued as not disposed of after expiration. We've left this issue to deployers to resolve, as keystone should not automatically delete tokens that provide traceability for security issues, etc.

However, we should provide a tool to make it easier to manage those tokens via keystone-manage.

I'd propose the following command:

  $ keystone-manage token-flush

Flushing tokens simply deletes expired tokens, eliminating any means of traceability.

This would require a new driver method that could be overridden with an alternative implementation, but it should look something like:

  delete_expired_tokens()

This method should not be exposed to the HTTP API (at least not as part of this BP) -- that should require additional discussion.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Low
Drafter:
Dolph Mathews
Direction:
Approved
Assignee:
Jamie Lennox
Definition:
Discussion
Series goal:
Accepted for havana
Implementation:
Implemented
Milestone target:
milestone icon 2013.2
Started by
Dolph Mathews
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bug/1032633,n,z

Addressed by: https://review.openstack.org/28133
    Implement Token Flush via keystone-manage.

Take a look at the spec-url

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.