Ask Your Question
7

keystone never delete expires token in database

asked 2013-05-30 23:08:11 -0500

chen-li gravatar image

keystone never delete expires token in database. And I noticed the token table has no index on “expired” and “valid”. Is this a bug, Or it is designed to work in this way? Why?

Thanks. -chen

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted
7

answered 2013-06-02 21:18:48 -0500

zhidong gravatar image

I guess it was designed deliberately for auditing purpose. It expects operators to decide when to delete those expired tokens from database. The same design can be seen in other OpenStack projects such as Nova.

While creating proper indexes could speedup querying in a big table, what operators need is a tool instead of run a SQL command which might be dangerous (e.g. 'DELETE FROM token WHERE expired <= NOW()').

The BP below proposed a new sub-command to keystone-manage to delete obsoleted tokens:

https://blueprints.launchpad.net/keystone/+spec/keystone-manage-token-flush

$ keystone-manage token-flush

edit flag offensive delete link more

Comments

3

The command is: keystone-manage token_flush (with underscore)

Marcos F. Lobo gravatar imageMarcos F. Lobo ( 2014-04-04 09:26:34 -0500 )edit
1

answered 2014-09-23 21:15:05 -0500

neut gravatar image

updated 2014-09-23 21:16:22 -0500

This is now solved with Openstack Havana. Anything lower than Havana can use the cron mentioned here : http://thisismyeye.blogspot.in/2014/03/openstack-grizzly-slow-api-and-timeouts.html

edit flag offensive delete link more
-1

answered 2013-05-31 11:33:30 -0500

RomilGupta gravatar image

Hi Chen,

Generally the token validity is for 24 hours. Please find the below output that clarify most of the things:

keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2013-05-10T23:22:41Z       |
|     id    | 22a8ffa77972414c8ef33fe4fd81c485 |
| tenant_id | b9f348e102224ed49e68f23cbb0b7ac7 |
|  user_id  | b30c4c9f8f704d89a303f149294938db |
+-----------+----------------------------------+

desc token;
+----------+-------------+------+-----+---------+-------+
| Field    | Type        | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| id       | varchar(64) | NO   | PRI | NULL    |       |
| expires  | datetime    | YES  |     | NULL    |       |
| extra    | mediumtext  | YES  |     | NULL    |       |
| valid    | tinyint(1)  | NO   |     | NULL    |       |
| trust_id | varchar(64) | YES  |     | NULL    |       |
| user_id  | varchar(64) | YES  |     | NULL    |       |
+----------+-------------+------+-----+---------+-------+
edit flag offensive delete link more

Comments

I think Chen's question was about why the expired tokens were not removed from the database.

zhidong gravatar imagezhidong ( 2013-06-02 21:08:32 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

3 followers

Stats

Asked: 2013-05-30 23:08:11 -0500

Seen: 6,726 times

Last updated: Sep 23 '14