Enable Keystone token flushing
This is the cookbook implementation of the following keystone blueprint: https:/
Bug 1032633 describes how keystone's token table grows unboundedly as new tokens are issued and not disposed of after expiration. The issue is left for deployers to resolve, because keystone should not automatically delete tokens that provide traceability for security issues, etc.
Keystone provides a tool to make it easier to manage those tokens via keystone-manage.
$ keystone-manage token-flush
Flushing tokens simply deletes expired tokens, eliminating any means of traceability.
This blueprint will add the ability to configure a cronjob to run token flushing to the openstack-
Blueprint information
- Status:
- Complete
- Approver:
- Justin Shepherd
- Priority:
- Undefined
- Drafter:
- Luis A. Garcia
- Direction:
- Needs approval
- Assignee:
- Luis A. Garcia
- Definition:
- New
- Series goal:
- Accepted for icehouse
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Mark Vanderwiel
- Completed by
- Mark Vanderwiel
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add crontab to flush tokens via keystone-manage