This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 908355 - Keystone SQL Backend does not remove expired tokens
Keystone SQL Backend does not remove expired tokens
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
2.0 (Folsom)
Unspecified Unspecified
high Severity high
: Upstream M3
: 5.0 (RHEL 7)
Assigned To: Adam Young
Udi
: FutureFeature, Rebase, Triaged
: 926921 1011091 1011093 (view as bug list)
Depends On: 990584
Blocks: RHOS50RFE 1011091 1011093 1029671
  Show dependency treegraph
 
Reported: 2013-02-06 08:51 EST by Pavel Sedlák
Modified: 2016-04-26 13:16 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
The SQL backend for Identity records tokens. It does not have a timeout, and it does not automatically remove tokens once they are recorded. As a consequence, the SQL database can run out of storage space. As a workaround, Identity now includes a command to remove tokens, namely 'keystone-manage token_flush'. This process should be scheduled to run regularly via cron. It is recommended that this command be run approximately once per minute.
Story Points: ---
Clone Of:
: 1011091 1011093 1029671 (view as bug list)
Environment:
Last Closed: 2014-07-08 11:23:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1032633 None None None Never
OpenStack gerrit 28133 None None None Never

  None (edit)
Description Pavel Sedlák 2013-02-06 08:51:14 EST
Description of problem:
Keystone (at least with MySQL backend) keeps already issued tokens in 'token' table, with 'expires' collumn.
But expired tokens are never removed.

See upstream bug https://bugs.launchpad.net/keystone/+bug/1008587
Comment 2 Adam Young 2013-04-10 14:49:47 EDT
*** Bug 926921 has been marked as a duplicate of this bug. ***
Comment 3 Alan Pevec 2013-05-30 11:23:12 EDT
keystone-manage token-flush was merged in Havana
Comment 4 Adam Young 2013-07-31 12:05:59 EDT
I just submitted this patch upstream, which builds on previous solutions, and provides a means to automate the token removal.

https://review.openstack.org/#/c/39507/
Comment 11 Scott Lewis 2013-11-05 10:41:46 EST
*** Bug 1011091 has been marked as a duplicate of this bug. ***
Comment 12 Scott Lewis 2013-11-05 10:44:24 EST
*** Bug 1011093 has been marked as a duplicate of this bug. ***
Comment 13 Adam Young 2013-11-25 16:03:35 EST
Solution should be to schedule the  command 

keystone-manage token-_flush

via cron to run on the keystone server.  The interval for the command really depends on the load.  With MySQL, there is some issue with Database locking, and some people have reported that going to long between flushes have caused Keystone to be unresponsive when running the command.  Once a minute is probably a safe value.
Comment 14 Adam Young 2013-11-25 16:04:16 EST
Solution should be to schedule the  command 

keystone-manage token_flush

via cron to run on the keystone server.  The interval for the command really depends on the load.  With MySQL, there is some issue with Database locking, and some people have reported that going to long between flushes have caused Keystone to be unresponsive when running the command.  Once a minute is probably a safe value.
Comment 15 Udi 2014-02-20 09:53:44 EST
Adam, can you review the TCMS test case? Please see if there is anything to add to it.
Comment 16 Adam Young 2014-02-21 16:24:59 EST
Test plan looks good. +2
Comment 19 Udi 2014-04-13 08:00:40 EDT
Verified in M3:
openstack-packstack-2014.1.1-0.7.dev1018.el7.noarch
openstack-keystone-2014.1-0.4.b3.el7.noarch
Comment 21 Udi 2014-04-23 03:58:43 EDT
This is also verified in 4.0
Comment 24 errata-xmlrpc 2014-07-08 11:23:30 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0854.html

Note You need to log in before you can comment on or make changes to this bug.