I use keystone tokens for two things:
1) To authorize a Horizon session. I like these to live a nice, long
time so I don't have to re-auth with the web UI over and over.
2) To authorize service users running cron jobs and other maintenance
scripts. These don't need to last long at all; just until the script is
finished.
In order to support case 1, my keystone.conf has 'expiration' set to a
huge value, several days. That means that my token table is HUGE, full
of all kinds of tokens that were used for use case 2 and immediately
forgotten about but have to linger for days before they can be cleaned
up with token_flush.
This turns out to matter! I just ran a simple test (deleting a project,
which does a number of queries on the token table) and it took 2.5
minutes. I imposed a 1-day expiration limit on the table and the same
test took 20 seconds.
So, now I'm considering a silly hack, selectively purging tokens from
the database that match service user ids long before their proper
expiration. Is there a better solution? Is there some way to specify a
lifespan at token creation time, or specify it per group? Or is that
one 'expiration' config setting all I get?
(Currently running Keystone version 'liberty' but hoping to upgrade to M
and N soon.)
Thanks!
-Andrew
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
