Deprecate cache_on_issue configuration option

Keystone already supports a global caching toggle and an option to configure token caching explicitly. Having a third option to enable pre-cached tokens is redundant, creates unnecessary complexity that bleeds through to operators, and causes weird behaviors if token caching is disabled and pre-caching is not. This commit deprecates the cache_on_issue configuration option in favor of just using ``keystone.conf [token] caching`` option instead. This commit also attempts to clarify the help text so that it describes the relationship between the various caching options, even if it is short-lived. The help text for ``keystone.conf [token] cache_on_issue`` claimed that it only cached tokens if global caching was enabled through oslo.cache and if ``keystone.conf [token] caching = True``. However, the actual implementation doesn't check if ``keystone.conf [token] caching = True`` at all. Even if token caching is disabled, tokens will be cached when they are issued. Change-Id: I1e1117deabadaba26ea8e833a06180529e1e0a4b
2019-02-07 22:59:10 +00:00 · 2019-02-07 22:59:10 +00:00 · ebad027f21
parent 8d84ec2420
commit ebad027f21
2 changed files with 14 additions and 3 deletions
--- a/keystone/conf/token.py
+++ b/keystone/conf/token.py
@ -104,10 +104,21 @@ other role assignments.
 cache_on_issue = cfg.BoolOpt(
    'cache_on_issue',
    default=True,
+    deprecated_since=versionutils.deprecated.STEIN,
+    deprecated_reason=utils.fmt("""
+Keystone already exposes a configuration option for caching tokens. Having a
+separate configuration option to cache tokens when they are issued is
+redundant, unnecessarily complicated, and is misleading if token caching is
+disabled because tokens will still be pre-cached by default when they are
+issued. The ability to pre-cache tokens when they are issued is going to rely
+exclusively on the ``keystone.conf [token] caching`` option in the future.
+"""),
+    deprecated_for_removal=True,
    help=utils.fmt("""
 Enable storing issued token data to token validation cache so that first token
 validation doesn't actually cause full validation cycle. This option has no
-effect unless global caching and token caching are enabled.
+effect unless global caching is enabled and will still cache tokens even if
+`[token] caching = False`.
 """))

 allow_expired_window = cfg.IntOpt(
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@ -125,7 +125,7 @@ class Manager(manager.Manager):
        consuming notifications that signal invalidating the token cache.

        """
-        if CONF.token.cache_on_issue:
+        if CONF.token.cache_on_issue or CONF.token.caching:
            TOKENS_REGION.invalidate()

    def check_revocation_v3(self, token):
@ -252,7 +252,7 @@ class Manager(manager.Manager):
        token.mint(token_id, issued_at)

        # cache the token object and with ID
-        if CONF.token.cache_on_issue:
+        if CONF.token.cache_on_issue or CONF.token.caching:
            # NOTE(amakarov): here and above TOKENS_REGION is to be passed
            # to serve as required positional "self" argument. It's ignored,
            # so I've put it here for convenience - any placeholder is fine.