[openstack-dev] [Keystone] Memcache user token index and PKI tokens

Kieran Spear kispear at gmail.com
Mon Jul 15 08:06:10 UTC 2013

Hi all,

I want to backport the fix for the "Token List in Memcache can consume
an entire memcache page" bug[1] to Grizzly, but I had a couple of

1. Why do we need to store the entire token data in the
usertoken-<userid> key? This data always seems to be hashed before
indexing into the 'token-<tokenid>' keys anyway. The size of the
memcache data for a user's token list currently grows by 4k every time
a new PKI token is created. It doesn't take long to hit 1MB at this
rate even with the above fix.

2. Every time it creates a new token, Keystone loads each token from
the user's token list with a separate memcache call so it can throw it
away if it's expired. This seems excessive. Is it anything to worry
about? If it just checked the first two tokens you'd get the same
effect on a longer time scale.

I guess part of the answer is to decrease our token expiry time, which
should mitigate both issues. Failing that we'd consider moving to the
SQL backend.


[1] https://bugs.launchpad.net/keystone/+bug/1171985

More information about the OpenStack-dev mailing list