Red Hat Bugzilla – Bug 1287865
[RFE][keystone]Using "memcached" as the default token persistence driver in Keystone
Last modified: 2016-04-27 01:00:14 EDT
Description of problem:
On an Overcloud deployed with RHOSP7 (using Director), I see that Keystone is configured to store tokens in MySQL (token persistence driver), instead of "memcached".
As Keystone tokens have an expiration time (TTL). MySQL semantics do not support the concept of expiration. That means that expired Keystone tokens have to be manually deleted from MySQL by using a "cron" script. However, "memcached" semantics support the concept of expiration (TTL) natively and is much better suited as a token persistence backend than MySQL.
The architecture deployed by Director uses MySQL as a token persistence driver for Keystone, instead of "memcached".
Upstream OpenStack Keystone configuration reference explicitly mentions "memcached" as a token persistence driver.
This is for changing the default backend for Keystone tokens from MySQL to memcached? Or at least, offer the option to configure Keystone to work on that way.
Memcache will not be the default. Memcache has been tested upstream and the results are unfavorable. With UUID tokens, the failure mode is acceptable: often valid tokens will show up as invalid. With PKI tokens, revoked tokens can be "unrevoked" if they are dropped from Memcache.
The token format for future use is Fernet. There is work happening upstream to make Fernet the default, and that will be the recommended format to use. Fernet does not require persistence for tokens.
Note that this review is abandoned.
Abandoned refarch does not use memcached for keystone tokens