Merge "Remove deprecated token_flush"
This commit is contained in:
commit
26c5d3352b
|
@ -25,20 +25,6 @@ With that said, there are many opportunities for tuning the performance of
|
|||
Keystone, many of which are actually trade-offs between performance and
|
||||
security that you need to judge for yourself, and tune accordingly.
|
||||
|
||||
Pruning expired tokens from backend storage
|
||||
===========================================
|
||||
|
||||
Using a persistent token format will result in an ever-growing backend store.
|
||||
Keystone will not remove, or prune, tokens from the backend even after they are
|
||||
expired. This can be managed manually using ``keystone-manage token_flush``,
|
||||
which will purge expired tokens from the data store in batches. Diligently
|
||||
pruning expired tokens will prevent token bloat.
|
||||
|
||||
.. note::
|
||||
|
||||
This optimization is not necessary for deployments leveraging Fernet
|
||||
tokens, which are non-persistent in nature.
|
||||
|
||||
Keystone configuration options that affect performance
|
||||
======================================================
|
||||
|
||||
|
|
|
@ -145,24 +145,3 @@ If your certificates are fetched on demand, the PKI validation is
|
|||
working properly. Most likely, the token from Identity is not valid for
|
||||
the operation you are attempting to perform, and your user needs a
|
||||
different role for the operation.
|
||||
|
||||
|
||||
Flush expired tokens from the token database table
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Problem
|
||||
-------
|
||||
|
||||
As you generate tokens, the token database table on the Identity server
|
||||
grows.
|
||||
|
||||
Solution
|
||||
--------
|
||||
|
||||
To clear the token table, an administrative user must run the
|
||||
:command:`keystone-manage token_flush` command to flush the tokens. When you
|
||||
flush tokens, expired tokens are deleted and traceability is eliminated.
|
||||
|
||||
Use ``cron`` to schedule this command to run frequently based on your
|
||||
workload. For large workloads, running it every minute is recommended.
|
||||
|
||||
|
|
|
@ -21,5 +21,4 @@ Available commands:
|
|||
* ``mapping_purge``: Purge the identity mapping table.
|
||||
* ``mapping_engine``: Test your federation mapping rules.
|
||||
* ``saml_idp_metadata``: Generate identity provider metadata.
|
||||
* ``token_flush``: Purge expired tokens.
|
||||
* ``trust_flush``: Purge expired trusts.
|
|
@ -658,23 +658,6 @@ class CredentialMigrate(BasePermissionsSetup):
|
|||
klass.migrate_credentials()
|
||||
|
||||
|
||||
class TokenFlush(BaseApp):
|
||||
"""Flush expired tokens from the backend."""
|
||||
|
||||
name = 'token_flush'
|
||||
|
||||
@classmethod
|
||||
def main(cls):
|
||||
LOG.warning(
|
||||
'This command is deprecated and no longer needed with the '
|
||||
'development of non-persistent token formats. It will be removed '
|
||||
'in Stein. It is recommended that you remove usage of this '
|
||||
'command or integrate it\'s functionality into a separate tool if '
|
||||
'you are using an out-of-tree provider that relies on persistent '
|
||||
'token storage.'
|
||||
)
|
||||
|
||||
|
||||
class TrustFlush(BaseApp):
|
||||
"""Flush expired and non-expired soft deleted trusts from the backend."""
|
||||
|
||||
|
@ -1185,7 +1168,6 @@ CMDS = [
|
|||
MappingPurge,
|
||||
MappingEngineTester,
|
||||
SamlIdentityProviderMetadata,
|
||||
TokenFlush,
|
||||
TokenRotate,
|
||||
TokenSetup,
|
||||
TrustFlush
|
||||
|
|
|
@ -1631,23 +1631,6 @@ class TestGroupMappingPurgeFunctional(unit.SQLDriverOverrides, unit.TestCase):
|
|||
)
|
||||
|
||||
|
||||
class TestTokenFlush(unit.TestCase):
|
||||
|
||||
def test_token_flush_emits_warning(self):
|
||||
expected_msg = (
|
||||
'This command is deprecated and no longer needed with the '
|
||||
'development of non-persistent token formats. It will be removed '
|
||||
'in Stein. It is recommended that you remove usage of this '
|
||||
'command or integrate it\'s functionality into a separate tool if '
|
||||
'you are using an out-of-tree provider that relies on persistent '
|
||||
'token storage.'
|
||||
)
|
||||
logging = self.useFixture(fixtures.FakeLogger())
|
||||
tf = cli.TokenFlush()
|
||||
tf.main()
|
||||
self.assertThat(logging.output, matchers.Contains(expected_msg))
|
||||
|
||||
|
||||
class TestTrustFlush(unit.SQLDriverOverrides, unit.BaseTestCase):
|
||||
|
||||
class FakeConfCommand(object):
|
||||
|
|
|
@ -4,3 +4,6 @@ other:
|
|||
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
|
||||
The options ``member_role_id`` and ``member_role_name`` which were
|
||||
deprecated in Queens and only used for V2 are removed now.
|
||||
- >
|
||||
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
|
||||
The deprecated token_flush is removed now.
|
Loading…
Reference in New Issue