[Openstack-operators] Keystone token HA

Clint Byrum clint at fewbar.com
Fri Dec 18 14:50:11 UTC 2015

Excerpts from Ajay Kalambur (akalambu)'s message of 2015-12-17 22:48:24 -0800:
> Hi
> If we deploy Keystone using memcached as token backend we see that bringing down 1 of 3 memcache servers results in some tokens getting invalidated. Does memcached not support replication of tokens
> So if we wanted HA w.r.t keystone tokens should we use SQL backend for tokens?

I'd recommend using Fernet + SQL (for revocation events). Not having to
store all of the tokens is worth the extra CPU to validate/generate.

If you do use SQL as the backend for UUID, make sure you're cleaning up
expired tokens aggressively.

More information about the OpenStack-operators mailing list