[openstack-dev] [Nova] About deleting keypairs

Sean Dague sean at dague.net
Mon Jul 18 23:26:11 UTC 2016


On 07/18/2016 08:14 AM, Matt Riedemann wrote:
>
> Nova doesn't actually validate the user_id passed into the keypairs API
> is valid, does it? Like flavor access and quotas, Nova is given an ID
> but doesn't validate it with Keystone. So we don't actually need
> Keystone to find these do we?
>
> I'm not saying that's great, we already had a spec approved for Newton
> to check the provided user/project ID with keystone for the flavor
> access and quotas APIs, we could do the same for keypairs.
>
> You could, however, write a script that deletes keypairs for user_ids
> that don't exist in Keystone...

A user can be in more than one project, so delete of users in projects 
automatically has some edge conditions, enough so that I'm not sure we'd 
ever want that automatically.

My suggestion would be a periodic purge of your local records by looking 
up the userids in keystone. The dead keys are doing very little other 
than taking up space, so it's mostly just about compaction, which could 
be run on a weekly basis.

	-Sean

-- 
Sean Dague
http://dague.net



More information about the OpenStack-dev mailing list