Bug 1127236

Summary: Staypuft does not create the cron job to flush the keystone tokens
Product: Red Hat OpenStack Reporter: Udi Kalifon <ukalifon>
Component: openstack-foreman-installerAssignee: Jason Guiditta <jguiditt>
Status: CLOSED ERRATA QA Contact: Udi Kalifon <ukalifon>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: ayoung, jtaleric, mburns, mlopes, morazi, nkinder, rhos-maint, yeylon
Target Milestone: z2   
Target Release: Installer   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-foreman-installer-2.0.28-1.el6ost Doc Type: Bug Fix
Doc Text:
Prior to this update, the Identity Service (keystone) did not automatically flush tokens. Instead, the expectation was that token flushing would be manually performed using the 'keystone-manage' command. If this action was not taken, the Identity Service would build up a large number of tokens, which used up space and potentially slowed performance. With this update, a cron job is setup to flush tokens, and consequently, they do not accumulate and potentially affect Identity Service performance.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-04 17:01:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Udi Kalifon 2014-08-06 12:47:26 UTC 
Description of problem:
The cron job to flush the expired keystone tokens is not configure when installing with staypuft.


Version-Release number of selected component (if applicable):
ruby193-rubygem-staypuft-0.1.22-1.el6ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. Install accordint to the instructions here: http://etherpad.corp.redhat.com/Create-staypuft-test-setup
2. On the controller machine, run the command: "crontab -u keystone -l"


Actual results:
cron table is empty


Expected results:
You should see a job that runs every minute:
*/1 * * * * /usr/bin/keystone-manage token_flush >/dev/null 2>&1
Comment 3 Jason Guiditta 2014-08-08 14:45:54 UTC 
We could add such a thing like packstack does, but it sounds like a bandaid to me.  Why is this needed?  Are we (and packstack) misconfiguring keystone, or does keystone have a bug?  If we solve this in one of those 2 places, which is where it belongs in my opinion, then this cron task is not needed.  Flushing tokens every minutes sounds like madness to me. Adam, any thoughts on why this is needed and a better way to handle it?
Comment 4 Jason Guiditta 2014-09-30 18:57:05 UTC 
*** Bug 1148098 has been marked as a duplicate of this bug. ***
Comment 5 Nathan Kinder 2014-09-30 19:14:43 UTC 
The keystone process itself does not flush tokens (ever).  Token flushing is performed by keystone-manage, which has to be explicitly run.  It was handled this way since Keystone didn't have workers, and handling requests would be blocked when performing a large flush of expired tokens.  This is why we set up a cron job.

Every minute seems frequent, but it keeps the amount of tokens that need to be flushed for any given flush event quite low.  There might be a better way to do this in the future, but this is how Keystone works right now.
Comment 6 Jason Guiditta 2014-10-01 18:06:25 UTC 
Patch posted:
https://github.com/redhat-openstack/astapor/pull/378
Comment 9 Udi Kalifon 2014-10-23 10:59:29 UTC 
Verified:
ruby193-rubygem-staypuft-0.4.8-1.el6ost.noarch
Comment 11 errata-xmlrpc 2014-11-04 17:01:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1800.html