It was covered some here: http://lists.openstack.org/pipermail/openstack-dev/2015-July/069658.html and some graphs here: http://www.mattfischer.com/blog/?p=672 tl;dr is that having revoked tokens affects keystone token validation and tokens are validated on almost every API call unless you're using some caching. It's not a reason to skip this idea, but its something I'm wary of since I get the call whenever Keystone gets slow. Depending on how many revocations it generates, I might turn it off. To be honest I'm not sure how much this feature is used by our customers. On Tue, Aug 11, 2015 at 8:16 PM, Tony Breeds <tony at bakeyournoodle.com> wrote: > On Mon, Aug 10, 2015 at 07:16:43PM -0600, Matt Fischer wrote: > > > I'm not excited about making this the default until token revocations > don't > > impact performance the way that they do now. I don't know how often this > > would get exercised though, but the impact of 100+ token revokes is > > noticeable on every API call. > > I'm not certain what you mean here. Can you elaborate on where you're > seeing > token revocations impacting performance. The only place I can see we do > this > revocation/removal is in mirgrate and delete paths and certainly not on > every > API call. > > Yours Tony. > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150811/8b55c675/attachment.html>