Description of problem: Keystone (at least with MySQL backend) keeps already issued tokens in 'token' table, with 'expires' collumn. But expired tokens are never removed. See upstream bug https://bugs.launchpad.net/keystone/+bug/1008587
*** Bug 926921 has been marked as a duplicate of this bug. ***
keystone-manage token-flush was merged in Havana
I just submitted this patch upstream, which builds on previous solutions, and provides a means to automate the token removal. https://review.openstack.org/#/c/39507/
*** Bug 1011091 has been marked as a duplicate of this bug. ***
*** Bug 1011093 has been marked as a duplicate of this bug. ***
Solution should be to schedule the command keystone-manage token-_flush via cron to run on the keystone server. The interval for the command really depends on the load. With MySQL, there is some issue with Database locking, and some people have reported that going to long between flushes have caused Keystone to be unresponsive when running the command. Once a minute is probably a safe value.
Solution should be to schedule the command keystone-manage token_flush via cron to run on the keystone server. The interval for the command really depends on the load. With MySQL, there is some issue with Database locking, and some people have reported that going to long between flushes have caused Keystone to be unresponsive when running the command. Once a minute is probably a safe value.
Adam, can you review the TCMS test case? Please see if there is anything to add to it.
Test plan looks good. +2
Verified in M3: openstack-packstack-2014.1.1-0.7.dev1018.el7.noarch openstack-keystone-2014.1-0.4.b3.el7.noarch
This is also verified in 4.0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0854.html