[openstack-dev] [Nova] About deleting keypairs
Sean Dague
sean at dague.net
Mon Jul 18 23:26:11 UTC 2016
On 07/18/2016 08:14 AM, Matt Riedemann wrote:
>
> Nova doesn't actually validate the user_id passed into the keypairs API
> is valid, does it? Like flavor access and quotas, Nova is given an ID
> but doesn't validate it with Keystone. So we don't actually need
> Keystone to find these do we?
>
> I'm not saying that's great, we already had a spec approved for Newton
> to check the provided user/project ID with keystone for the flavor
> access and quotas APIs, we could do the same for keypairs.
>
> You could, however, write a script that deletes keypairs for user_ids
> that don't exist in Keystone...
A user can be in more than one project, so delete of users in projects
automatically has some edge conditions, enough so that I'm not sure we'd
ever want that automatically.
My suggestion would be a periodic purge of your local records by looking
up the userids in keystone. The dead keys are doing very little other
than taking up space, so it's mostly just about compaction, which could
be run on a weekly basis.
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-dev
mailing list