Cloned for documentation impact, refer to Bug # 908355 for implementation details.
Jeff Dexter:"> It was recently brought to my attention that the token db that keystone keeps does not rid itself of expired tokens. On the gss test sytem, i had over 140,000 tokens in the DB and that is for very small and inactive deployment. Is there discussion about keystone keeping these tokens forever, or should it be purging them at some point, or some way to manage the DB other then to go in and delete expired tokens?" Steve Gordon:"In RHELOSP 3 (Grizzly) they need to be removed manually from the database, in RHELOSP 4 (Havana) [1] it will be possible to instead use the command "keystone-manage token_flush" provided as a result of this upstream blueprint: https://blueprints.launchpad.net/keystone/+spec/keystone-manage-token-flush"
Updating priority to match severity.
Current recommendations form devel is to use the keystone-manage token_flush command each minute to remove tokens. if this is not done on a frequent bases a few things can occur. 1) The database can fill up. 2)The database can have locking issues while token cleanup is occurring on a large dataset. This results in no new tokens getting issued during the sql table lock time. We can suggest creating the following file and restarting the cron daemon. /etc/cron.d/keystone ---------------------------------------------------------- SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Clean up expired tokens in the database * * * * * keystone /usr/bin/keystone-manage token_flush >/var/log/keystone/cron.log 2>&1 ---------------------------------------------------------- service crond restart
This bug is being assigned to Bruce Reeler, who is now the designated docs specialist for OpenStack Identity Service.
From the dev bug it looks like the upstream patch to fix this is not yet accepted, and the dev bug has been moved to ver5.0. So adding this "keystone-manage token_flush cmd has to be run every minute" to the ICG for now, will see what happens w.r.t. ver5.0, if still an issue for v5.0 will add to Configuration Reference. For QA: See the note in section 9.4.1, added sentence:"It is recommended that this command be run approximately once per minute."