OpenStack Identity (keystone)

Periodically flush the expired tokens

Registered by Thomas Bechtold

With the H release, keystone-manage has a new parameter called "token_flush" to flush the expired tokens (see https://blueprints.launchpad.net/keystone/+spec/keystone-manage-token-flush).
This is still a manual task which needs to be done by operations.

There should be a periodic task in keystone to flush the expired tokens automatically.

I propose to add a new config parameter to the [token] section called "flush_period". This value is an integer (in seconds). If 0, the automatic flushing is disabled. So a possible keystone.conf looks like:

[token]
...
flush_period=3600
...

With this configuration, the expired tokens are every hour deleted.
To implement this, a ThreadGroup.add_timer() from openstack.common can be used.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
Thomas Bechtold
Definition:
Obsolete
Series goal:
None
Implementation:
Needs Code Review
Milestone target:
None
Started by
Dolph Mathews
Completed by
Morgan Fainberg

Related branches

Sprints

Whiteboard

(morganfainberg): As discussed in IRC, design sessions, and on the review, this will not be implemented in this way, Keystone does not have a periodic scheduler and this should be a Cron job with the ultimate goal of reaching non-persistent tokens (or other similar improvements).

Bumping this to m3 pending further conversation on the topic, as requested by Steven Hardy in https://review.openstack.org/59786

Gerrit topic: https://review.openstack.org/#q,topic:bp/keystone-manage-token-flush-periodically,n,z

Addressed by: https://review.openstack.org/59786
    Periodically flush expired tokens

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.