Open Stack

I use keystone tokens for two things:

1) To authorize a Horizon session.  I like these to live a nice, long 
time so I don't have to re-auth with the web UI over and over.

2) To authorize service users running cron jobs and other maintenance 
scripts.  These don't need to last long at all; just until the script is 
finished.

In order to support case 1, my keystone.conf has 'expiration' set to a 
huge value, several days.  That means that my token table is HUGE, full 
of all kinds of tokens that were used for use case 2 and immediately 
forgotten about but have to linger for days before they can be cleaned 
up with token_flush.

This turns out to matter!  I just ran a simple test (deleting a project, 
which does a number of queries on the token table) and it took 2.5 
minutes.  I imposed a 1-day expiration limit on the table and the same 
test took 20 seconds.

So, now I'm considering a silly hack, selectively purging tokens from 
the database that match service user ids long before their proper 
expiration.  Is there a better solution?  Is there some way to specify a 
lifespan at token creation time, or specify it per group?  Or is that 
one 'expiration' config setting all I get?

(Currently running Keystone version 'liberty' but hoping to upgrade to M 
and N soon.)

Thanks!

-Andrew