[openstack-dev] [keystone] Flush expired tokens automatically ?
Adam Young
ayoung at redhat.com
Tue Jan 27 18:43:23 UTC 2015
Short term answers:
The amount of infrastructure we would have to build to replicate CRON is
not worth it.
Figuring out a CRON strategy for nontrivial deployment is part of a
larger data management scheme.
Long term answers:
Tokens should not be persisted. We have been working toward ephemeral
tokens for a long time, but the vision of how to get there is not
uniformly shared among the team. We spent a lot of time arguing about
AE tokens, which looked promising, but do not support federation.
Where we are headed is a split of the data in the token into an
ephemeral portion and a persisted portion. The persisted portion would
be reused, and would represent the delegation of authority. The
epehmeral portion will represent the time aspects of the token: when
issued, when expired, etc. The ephemeral portion would refer to the
persisted portion.
The revocation events code is necessary for PKI tokens, and might be
required depending on how we do the ephemeral/persisted split. With AE
tokens it would have been necessary, but with a unified delegation
mechanism, it would be less so.
If anyone feels the need for ephemeral tokens strongly enough to
contribute, please let me know. We've put a lot of design into where we
are today, and I would encourage you to learn the issues before jumping
in to the solutions. I'm more than willing to guide any new development
along these lines.
More information about the OpenStack-dev
mailing list