periodically flush expired token

Registered by yong sheng gong on 2013-08-22

This blueprint has been superseded. See the newer blueprint "Periodically flush the expired tokens" for updated plans.

Now we need the deployer to add a cron-like job to call 'keystone-manage token_flush' to remove the expired token records in the token backend (kvs, mysql, memcache, etc) so that the token persistence mechanism will not be filled up with expired tokens.

This BP adds a periodic thread in keystone-all process, which will run at a configurable interval to flush the expired token from DB. The interval should be configured more than CONF.token.expiration (86400). If the configured value is no more than 0, the periodic thread will not run.

It also flushes the oauth token.

Blueprint information

yong sheng gong
Needs approval
yong sheng gong
Series goal:
Not started
Milestone target:
Completed by
Morgan Fainberg on 2014-10-14

Related branches



Dolph Mathews said: i'd suggest breaking the oauth token flushing into a separate blueprint, since there's considerably extra work around that

why should the configured interval be greater than CONF.token.expiration? that seems to be an unfounded recommendation

yong sheng gong said: If the interval is less than CONF.token.expiration, sometimes, it will run without reclaiming any thing. But anyway, it is a configurable value.

Robert C. Barth said: Does it make sense to create a whole thread to do this, or how about just clear the expired tokens on token creation via SQL script? E.g. modify the token creation process to also clear the expired tokens when storing the new token. That will introduce some overhead into token creation, but it should be minimal. I think this it would be a simpler change. A config value for whether the user wants this behavior would be convenient, as well.

Doug Schaapveld said: Why include the memcache driver? Doesn't memcached handle expiration on its own?

-- This is duplicated by bp keystone-manage-token-flush-periodically --


Work Items

This blueprint contains Public information 
Everyone can see this information.