Description of problem:
The cron job to flush the expired keystone tokens is not configure when installing with staypuft.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install accordint to the instructions here: http://etherpad.corp.redhat.com/Create-staypuft-test-setup
2. On the controller machine, run the command: "crontab -u keystone -l"
cron table is empty
You should see a job that runs every minute:
*/1 * * * * /usr/bin/keystone-manage token_flush >/dev/null 2>&1
We could add such a thing like packstack does, but it sounds like a bandaid to me. Why is this needed? Are we (and packstack) misconfiguring keystone, or does keystone have a bug? If we solve this in one of those 2 places, which is where it belongs in my opinion, then this cron task is not needed. Flushing tokens every minutes sounds like madness to me. Adam, any thoughts on why this is needed and a better way to handle it?
*** Bug 1148098 has been marked as a duplicate of this bug. ***
The keystone process itself does not flush tokens (ever). Token flushing is performed by keystone-manage, which has to be explicitly run. It was handled this way since Keystone didn't have workers, and handling requests would be blocked when performing a large flush of expired tokens. This is why we set up a cron job.
Every minute seems frequent, but it keeps the amount of tokens that need to be flushed for any given flush event quite low. There might be a better way to do this in the future, but this is how Keystone works right now.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.