1052807 – [RFE][keystone]: Reduce default token duration

Bug 1052807 - [RFE][keystone]: Reduce default token duration

Summary: [RFE][keystone]: Reduce default token duration

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Upstream M2
Target Release:	5.0 (RHEL 7)
Assignee:	RHOS Maint
QA Contact:	Ami Jeain
Docs Contact:
URL:	https://blueprints.launchpad.net/keys...
Whiteboard:	upstream_milestone_icehouse-2 upstrea...
Duplicates (1):	1066391 (view as bug list)
Depends On:
Blocks:	1040649 1070990 1095520
TreeView+	depends on / blocked

Reported:	2014-01-14 05:08 UTC by RHOS Integration
Modified:	2016-04-26 22:08 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-keystone-2014.1-2.el7ost
Doc Type:	Enhancement
Doc Text:	The Identity service default token duration setting has been reduced to one hour. The Identity service previously defaulted to a token duration of 24 hours, which would results in scalability problems due to a large number of tokens being persisted in Identity's token database for tokens that are most likely not in use any more. Now, the number of tokens persisted in Identity's token database will be vastly reduced compared to the previous default setting, resulting in improved scalability.
Clone Of:
Clones:	1070990 1095520 (view as bug list)
Environment:
Last Closed:	2014-07-08 15:24:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1299334	None	None	None	Never
OpenStack gerrit	66449	None	None	None	Never
OpenStack gerrit	83948	None	None	None	Never
Red Hat Product Errata	RHEA-2014:0854	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement - Identity	2014-07-08 19:22:33 UTC

Description RHOS Integration 2014-01-14 05:08:45 UTC

Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/reduce-default-token-duration.

Description:

The default token duration of 24 hours (86400 seconds) is long enough such that we must deal with issues such as premature token revocation and large numbers of simultaneously valid persisted tokens. Reducing the default token lifespan to something that more closely resembles real-world long running processes (1 hour, for example) would reduce the overall overhead associated with tokens.

Specification URL (additional information):

None

Comment 2 Stephen Gordon 2014-01-23 20:50:53 UTC

Moving to POST based on upstream status (Implemented).

Comment 3 Nathan Kinder 2014-02-27 01:15:28 UTC

The default token duration was reduced to 1 hour.  You should be able to verify by checking the token expiration timestamp when getting a new token via curl.  An example of using curl to get a token with the v2 is here:

  http://docs.openstack.org/developer/keystone/api_curl_examples.html#id3

There is a v3 example here:

  http://adam.younglogic.com/2013/09/keystone-v3-api-examples/

Comment 4 Nathan Kinder 2014-03-18 21:18:26 UTC

*** Bug 1066391 has been marked as a duplicate of this bug. ***

Comment 5 Alan Pevec 2014-03-28 18:12:26 UTC

(In reply to Nathan Kinder from comment #3)
> The default token duration was reduced to 1 hour.

NB puppet-keystone still has 24h default
 https://github.com/stackforge/puppet-keystone/blob/master/manifests/init.pp#L154

Comment 6 Nathan Kinder 2014-03-29 04:20:45 UTC

(In reply to Alan Pevec from comment #5)
> (In reply to Nathan Kinder from comment #3)
> > The default token duration was reduced to 1 hour.
> 
> NB puppet-keystone still has 24h default
>  https://github.com/stackforge/puppet-keystone/blob/master/manifests/init.
> pp#L154

Good catch.  This was addressed in Keystone by changing the setting in the keystone.conf.sample file:

    https://review.openstack.org/#/c/66449/

I have filed an upstream puppet-keystone bug and submitted a patch/review:

    https://bugs.launchpad.net/puppet-keystone/+bug/1299334
    https://review.openstack.org/#/c/83948/

Comment 7 Nathan Kinder 2014-03-31 20:10:34 UTC

The upstream change for puppet-keystone has been merged:

  https://git.openstack.org/cgit/stackforge/puppet-keystone/commit/?id=af070094bf6d240e71e035666a124b40ea18dc2c

Comment 13 Udi Kalifon 2014-04-27 11:09:28 UTC

This bug fails QA because, although the defaults in the code have been changed as requested, we are still setting expiration = 86400 in the keystone.conf file. This looks like a packstack/puppet bug and not a keystone one, but until we stop changing the conf file this bug will never be closed...

Please leave the expiration parameter commented out by default and set to 3600, same as it is in upstream.

Comment 14 Nathan Kinder 2014-04-28 16:36:38 UTC

(In reply to Udi from comment #13)
> This bug fails QA because, although the defaults in the code have been
> changed as requested, we are still setting expiration = 86400 in the
> keystone.conf file. This looks like a packstack/puppet bug and not a
> keystone one, but until we stop changing the conf file this bug will never
> be closed...
> 
> Please leave the expiration parameter commented out by default and set to
> 3600, same as it is in upstream.

This is a OSP 5.0 bug, and it was not in MODIFIED yet.  You are correct that there is a puppet-keystone fix required, which is mentioned in comment#6.  This has been fixed upstream, but needs to be backported internally, which is why it was in POST.  Please don't try to verify it until it is in the MODIFIED state.

Comment 15 Alan Pevec 2014-05-08 12:47:09 UTC

Keystone part is done, bug 1095520 is clonned for puppet change.

Comment 16 Ami Jeain 2014-06-15 11:18:20 UTC

failedQA:

from /etc/keystone/keystone.conf, using packstack installation:

# Amount of time a token should remain valid (in seconds).
# (integer value)
#expiration=3600
expiration=86400

# rpm -qa |grep openstack-keystone
openstack-keystone-2014.1-3.el7ost.noarch

Comment 17 Nathan Kinder 2014-06-16 14:11:03 UTC

(In reply to Ami Jeain from comment #16)
> failedQA:
> 
> from /etc/keystone/keystone.conf, using packstack installation:
> 
> # Amount of time a token should remain valid (in seconds).
> # (integer value)
> #expiration=3600
> expiration=86400
> 
> # rpm -qa |grep openstack-keystone
> openstack-keystone-2014.1-3.el7ost.noarch

I expect that puppet is changing it (which is being handled in bug 1095520).  If you install openstack-keystone directly via yum (without running packstack), is the expiration set to 3600 in /etc/keystone/keystone.conf?  If so, the bug in openstack-keystone is fixed.

We need the openstack-puppet-modules fix to resolve this completely.

Comment 18 Ami Jeain 2014-06-16 14:31:22 UTC

verified that the keystone.conf in openstack-keystone-2014.1-3.el7ost.noarch.rpm has the #expiration=3600.
Will wait for the other puppet-module fix to make sure that packstack doesn't change the value to 86400

Comment 21 errata-xmlrpc 2014-07-08 15:24:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0854.html

Note You need to log in before you can comment on or make changes to this bug.