Bug 1052807

Summary: [RFE][keystone]: Reduce default token duration
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: openstack-keystoneAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: Ami Jeain <ajeain>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aberezin, ajeain, apevec, ayoung, breeler, cpelland, dowillia, markmc, nkhare, nkinder, sclewis, yeylon
Target Milestone: Upstream M2Keywords: FutureFeature, Triaged
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/reduce-default-token-duration
Whiteboard: upstream_milestone_icehouse-2 upstream_status_implemented upstream_definition_new
Fixed In Version: openstack-keystone-2014.1-2.el7ost Doc Type: Enhancement
Doc Text:
The Identity service default token duration setting has been reduced to one hour. The Identity service previously defaulted to a token duration of 24 hours, which would results in scalability problems due to a large number of tokens being persisted in Identity's token database for tokens that are most likely not in use any more. Now, the number of tokens persisted in Identity's token database will be vastly reduced compared to the previous default setting, resulting in improved scalability.
 Story Points: ---
Clone Of:
: 1070990 1095520 (view as bug list) Environment:
Last Closed: 2014-07-08 15:24:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1040649, 1070990, 1095520    

Description RHOS Integration 2014-01-14 05:08:45 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/reduce-default-token-duration.

Description:

The default token duration of 24 hours (86400 seconds) is long enough such that we must deal with issues such as premature token revocation and large numbers of simultaneously valid persisted tokens. Reducing the default token lifespan to something that more closely resembles real-world long running processes (1 hour, for example) would reduce the overall overhead associated with tokens.

Specification URL (additional information):

None
Comment 2 Stephen Gordon 2014-01-23 20:50:53 UTC 
Moving to POST based on upstream status (Implemented).
Comment 3 Nathan Kinder 2014-02-27 01:15:28 UTC 
The default token duration was reduced to 1 hour.  You should be able to verify by checking the token expiration timestamp when getting a new token via curl.  An example of using curl to get a token with the v2 is here:

  http://docs.openstack.org/developer/keystone/api_curl_examples.html#id3

There is a v3 example here:

  http://adam.younglogic.com/2013/09/keystone-v3-api-examples/
Comment 4 Nathan Kinder 2014-03-18 21:18:26 UTC 
*** Bug 1066391 has been marked as a duplicate of this bug. ***
Comment 5 Alan Pevec 2014-03-28 18:12:26 UTC 
(In reply to Nathan Kinder from comment #3)
> The default token duration was reduced to 1 hour.

NB puppet-keystone still has 24h default
 https://github.com/stackforge/puppet-keystone/blob/master/manifests/init.pp#L154
Comment 6 Nathan Kinder 2014-03-29 04:20:45 UTC 
(In reply to Alan Pevec from comment #5)
> (In reply to Nathan Kinder from comment #3)
> > The default token duration was reduced to 1 hour.
> 
> NB puppet-keystone still has 24h default
>  https://github.com/stackforge/puppet-keystone/blob/master/manifests/init.
> pp#L154

Good catch.  This was addressed in Keystone by changing the setting in the keystone.conf.sample file:

    https://review.openstack.org/#/c/66449/

I have filed an upstream puppet-keystone bug and submitted a patch/review:

    https://bugs.launchpad.net/puppet-keystone/+bug/1299334
    https://review.openstack.org/#/c/83948/
Comment 7 Nathan Kinder 2014-03-31 20:10:34 UTC 
The upstream change for puppet-keystone has been merged:

  https://git.openstack.org/cgit/stackforge/puppet-keystone/commit/?id=af070094bf6d240e71e035666a124b40ea18dc2c
Comment 13 Udi Kalifon 2014-04-27 11:09:28 UTC 
This bug fails QA because, although the defaults in the code have been changed as requested, we are still setting expiration = 86400 in the keystone.conf file. This looks like a packstack/puppet bug and not a keystone one, but until we stop changing the conf file this bug will never be closed...

Please leave the expiration parameter commented out by default and set to 3600, same as it is in upstream.
Comment 14 Nathan Kinder 2014-04-28 16:36:38 UTC 
(In reply to Udi from comment #13)
> This bug fails QA because, although the defaults in the code have been
> changed as requested, we are still setting expiration = 86400 in the
> keystone.conf file. This looks like a packstack/puppet bug and not a
> keystone one, but until we stop changing the conf file this bug will never
> be closed...
> 
> Please leave the expiration parameter commented out by default and set to
> 3600, same as it is in upstream.

This is a OSP 5.0 bug, and it was not in MODIFIED yet.  You are correct that there is a puppet-keystone fix required, which is mentioned in comment#6.  This has been fixed upstream, but needs to be backported internally, which is why it was in POST.  Please don't try to verify it until it is in the MODIFIED state.
Comment 15 Alan Pevec 2014-05-08 12:47:09 UTC 
Keystone part is done, bug 1095520 is clonned for puppet change.
Comment 16 Ami Jeain 2014-06-15 11:18:20 UTC 
failedQA:

from /etc/keystone/keystone.conf, using packstack installation:

# Amount of time a token should remain valid (in seconds).
# (integer value)
#expiration=3600
expiration=86400

# rpm -qa |grep openstack-keystone
openstack-keystone-2014.1-3.el7ost.noarch
Comment 17 Nathan Kinder 2014-06-16 14:11:03 UTC 
(In reply to Ami Jeain from comment #16)
> failedQA:
> 
> from /etc/keystone/keystone.conf, using packstack installation:
> 
> # Amount of time a token should remain valid (in seconds).
> # (integer value)
> #expiration=3600
> expiration=86400
> 
> # rpm -qa |grep openstack-keystone
> openstack-keystone-2014.1-3.el7ost.noarch

I expect that puppet is changing it (which is being handled in bug 1095520).  If you install openstack-keystone directly via yum (without running packstack), is the expiration set to 3600 in /etc/keystone/keystone.conf?  If so, the bug in openstack-keystone is fixed.

We need the openstack-puppet-modules fix to resolve this completely.
Comment 18 Ami Jeain 2014-06-16 14:31:22 UTC 
verified that the keystone.conf in openstack-keystone-2014.1-3.el7ost.noarch.rpm has the #expiration=3600.
Will wait for the other puppet-module fix to make sure that packstack doesn't change the value to 86400
Comment 21 errata-xmlrpc 2014-07-08 15:24:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0854.html