Bug 908355
| Summary: | Keystone SQL Backend does not remove expired tokens | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Pavel Sedlák <psedlak> | |
| Component: | openstack-keystone | Assignee: | Adam Young <ayoung> | |
| Status: | CLOSED ERRATA | QA Contact: | Udi Kalifon <ukalifon> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 2.0 (Folsom) | CC: | aberezin, ajeain, apevec, ayoung, breeler, dpal, nkinder, ohochman, sclewis, slong | |
| Target Milestone: | Upstream M3 | Keywords: | FutureFeature, Rebase, Triaged | |
| Target Release: | 5.0 (RHEL 7) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Known Issue | ||
| Doc Text: |
The SQL backend for Identity records tokens. It does not have a timeout, and it does not automatically remove tokens once they are recorded.
As a consequence, the SQL database can run out of storage space.
As a workaround, Identity now includes a command to remove tokens, namely 'keystone-manage token_flush'. This process should be scheduled to run regularly via cron. It is recommended that this command be run approximately once per minute.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1011091 1011093 1029671 (view as bug list) | Environment: | ||
| Last Closed: | 2014-07-08 15:23:30 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 990584 | |||
| Bug Blocks: | 1003878, 1011091, 1011093, 1029671 | |||
|
Description
Pavel Sedlák
2013-02-06 13:51:14 UTC
*** Bug 926921 has been marked as a duplicate of this bug. *** keystone-manage token-flush was merged in Havana I just submitted this patch upstream, which builds on previous solutions, and provides a means to automate the token removal. https://review.openstack.org/#/c/39507/ *** Bug 1011091 has been marked as a duplicate of this bug. *** *** Bug 1011093 has been marked as a duplicate of this bug. *** Solution should be to schedule the command keystone-manage token-_flush via cron to run on the keystone server. The interval for the command really depends on the load. With MySQL, there is some issue with Database locking, and some people have reported that going to long between flushes have caused Keystone to be unresponsive when running the command. Once a minute is probably a safe value. Solution should be to schedule the command keystone-manage token_flush via cron to run on the keystone server. The interval for the command really depends on the load. With MySQL, there is some issue with Database locking, and some people have reported that going to long between flushes have caused Keystone to be unresponsive when running the command. Once a minute is probably a safe value. Adam, can you review the TCMS test case? Please see if there is anything to add to it. Test plan looks good. +2 Verified in M3: openstack-packstack-2014.1.1-0.7.dev1018.el7.noarch openstack-keystone-2014.1-0.4.b3.el7.noarch This is also verified in 4.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0854.html |