Bug 1287865 - [RFE][keystone]Using "memcached" as the default token persistence driver in Keystone
[RFE][keystone]Using "memcached" as the default token persistence driver in K...
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
unspecified Severity high
: ---
: 8.0 (Liberty)
Assigned To: Adam Young
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-12-02 16:16 EST by Pablo Caruana
Modified: 2016-04-27 01:00 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Cause: Consequence: Fix: Result:
Story Points: ---
Clone Of:
Last Closed: 2016-03-19 18:44:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Pablo Caruana 2015-12-02 16:16:51 EST
Description of problem:

On an Overcloud deployed with RHOSP7 (using Director), I see that Keystone is configured to store tokens in MySQL (token persistence driver), instead of "memcached".

As Keystone tokens have an expiration time (TTL). MySQL semantics do not support the concept of expiration. That means that expired Keystone tokens have to be manually deleted from MySQL by using a "cron" script. However, "memcached" semantics support the concept of expiration (TTL) natively and is much better suited as a token persistence backend than MySQL.

 The architecture deployed by Director uses MySQL as a token persistence driver for Keystone, instead of "memcached".

Upstream OpenStack Keystone configuration reference explicitly mentions "memcached" as a token persistence driver.

This is for changing the default backend for Keystone tokens from MySQL to memcached? Or at least, offer the option to configure Keystone to work on that way.
Comment 4 Adam Young 2016-01-20 14:49:28 EST
Memcache will not be the default.  Memcache has been tested upstream and the results are unfavorable.  With UUID tokens, the failure mode is acceptable:  often valid tokens will show up as invalid.  With PKI tokens, revoked tokens can be "unrevoked" if they are dropped from Memcache.

The token format for future use is Fernet.  There is work happening upstream to make Fernet the default, and that will be the recommended format to use.  Fernet does not require persistence for tokens.
Comment 8 Adam Young 2016-03-19 18:44:39 EDT
Note that this review is abandoned.

Abandoned refarch does not use memcached for keystone tokens

Note You need to log in before you can comment on or make changes to this bug.