[openstack-dev] Expired tokens in Keystone

Yee, Guang guang.yee at hp.com
Fri Jun 14 15:03:14 UTC 2013


I think there was a case in which user started a VM snapshot in Nova with a 
to-be-expired token and by the time the snapshot reached Glance the token had 
already expired.



But I like the idea of token reuse. Probably need a configurable parameter to 
determine at what point we need to issue a new token versus reusing an 
existing one. Maybe a good topic for the next Summit?





Guang





From: Ravi Chunduru [mailto:ravivsn at gmail.com]
Sent: Friday, June 14, 2013 7:32 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Expired tokens in Keystone



I asked this question in different thread but no response.



Why does keystone not re-use the token the one it has already issued for the 
same credentials. Any reason for not doing that?



Thanks,

-Ravi.

On Wed, Jun 12, 2013 at 11:04 AM, Jay Pipes <jaypipes at gmail.com> wrote:

On 06/12/2013 12:54 PM, Craig E. Ward wrote:

I am working with a Folsom installation of OpenStack. The Keystone
database (mysql) gets very large. The token table has millions of rows
of expired tokens. Is there a reason not to delete these from the table?



Not unless you need them for some security auditing purpose... and if you 
don't, I recommend switching to the memcache token driver. It's faster and 
doesn't have the drawback of filling up your identity database will millions 
of token records.

best,
-jay




_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev







-- 
Ravi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130614/2fd3014c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6186 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130614/2fd3014c/attachment.bin>


More information about the OpenStack-dev mailing list