It is known that caching of fernet tokens provides 50%+ performance increase, but it also could break authentication service in case of any serious issue. Current documentation [1] doesn't contain any details about configuring [cache] section in keystone.conf. Our partner is concerned if we support the environments with the following configuration parameters in keystone.conf: /etc/keystone/keystone.conf::cache::backend oslo_cache.memcache_pool /etc/keystone/keystone.conf::cache::memcache_servers 1.1.1.1:11211,1.1.1.2:11211,1.1.1.3:11211 /etc/keystone/keystone.conf::cache::enabled true /etc/keystone/keystone.conf::token::caching true Please treat this bug as one with high priority: it could have serious business impact. [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/configuration_reference/ch_configuring-openstack-identity
Here is official configuration guide for fernet tokens in RHOSP 10: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/deploy_fernet_on_the_overcloud/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543
As a result, all types of tokens benefit from caching, including Fernet tokens. Although Fernet tokens do not need to be persisted, they should still be cached for optimal token validation performance. https://www.novitasphere.us/