From 0cb787bb9d2e8a5c87821646f2387ae1f2dcd8a0 Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Wed, 7 Jun 2023 14:14:14 +0100 Subject: [PATCH] Make role-cache-expiration configurable We use a default expiration_time (dogpile-expiration-time) of 600s which means that role assignments will take up to this amount of time before all caches are updated to reflect changes. This may not be suitable for some clouds that make frequent changes to role assignments and lowering the global value is not recommended so this overrides the [role] cache_time to a more appropriate value and also makes it configurable. We leave default value as None so that the global value is still inherited but this at least allows it to be customised. Change-Id: I49e46e010c543f831959581b2122f59068f2c07b Closes-Bug: #1771114 --- config.yaml | 10 ++++++++++ hooks/keystone_context.py | 3 +++ templates/queens/keystone.conf | 5 +++++ 3 files changed, 18 insertions(+) diff --git a/config.yaml b/config.yaml index e9da46fc..05c4c6c5 100644 --- a/config.yaml +++ b/config.yaml @@ -107,6 +107,16 @@ options: type: int default: 60 description: Amount of time (in seconds) the catalog should be cached for. + role-cache-expiration: + type: int + default: + description: | + Amount of time (in seconds) role assignments should be cached for. + Relying on the global expiration_time can cause applications that + frequently add/remove role assignments to become slow or fail + since assignment changes will take up to expiration_time to sync + across all caches. Reducing cache_time means more database queries + so if an impact is perceived this value should be increased. dogpile-cache-expiration: type: int default: 600 diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py index f682818d..00d2152e 100644 --- a/hooks/keystone_context.py +++ b/hooks/keystone_context.py @@ -214,6 +214,9 @@ class KeystoneContext(context.OSContextGenerator): ctxt['verbose'] = config('verbose') ctxt['token_expiration'] = config('token-expiration') ctxt['catalog_cache_expiration'] = config('catalog-cache-expiration') + if config('role-cache-expiration') is not None: + ctxt['role_cache_expiration'] = config('role-cache-expiration') + ctxt['dogpile_cache_expiration'] = config('dogpile-cache-expiration') ctxt['identity_backend'] = config('identity-backend') diff --git a/templates/queens/keystone.conf b/templates/queens/keystone.conf index 1d828509..d61501c3 100644 --- a/templates/queens/keystone.conf +++ b/templates/queens/keystone.conf @@ -42,6 +42,11 @@ driver = sql cache_time = {{ catalog_cache_expiration }} driver = sql +{% if role_cache_expiration is not None -%} +[role] +cache_time = {{ role_cache_expiration }} +{% endif -%} + [endpoint_filter] [token]