[openstack-dev] [keystone] Flush expired tokens automatically ?

Adam Young ayoung at redhat.com
Tue Jan 27 18:43:23 UTC 2015

Short term answers:

The amount of infrastructure we would have to build to replicate CRON is 
not worth it.

Figuring out a CRON strategy for nontrivial deployment is part of a 
larger data management scheme.

Long term answers:

Tokens should not be persisted.  We have been working toward ephemeral 
tokens for a long time, but the vision of how to get there is not 
uniformly shared among the team.  We spent a lot of time arguing about 
AE tokens, which looked promising, but do not support federation.

Where we are headed is a split of the data in the token into an 
ephemeral portion and a persisted portion.  The persisted portion would 
be reused, and would represent the delegation of authority. The 
epehmeral portion will represent the time aspects of the token: when 
issued, when expired, etc.  The ephemeral portion would refer to the 
persisted portion.

The revocation events code  is necessary for PKI tokens, and might be 
required depending on how we do the ephemeral/persisted split. With AE 
tokens it would have been necessary, but with a unified delegation 
mechanism, it would be less so.

If anyone feels the need for ephemeral tokens strongly enough to 
contribute, please let me know.  We've put a lot of design into where we 
are today, and I would encourage you to learn the issues before jumping 
in to the solutions.  I'm more than willing to guide any new development 
along these lines.

More information about the OpenStack-dev mailing list