Merge "Remove deprecated token_flush"

2018-10-19 08:22:08 +00:00 · 2018-10-19 08:22:08 +00:00 · 26c5d3352b
parent c1e57e57cc 48dcdb5ad3
commit 26c5d3352b
6 changed files with 3 additions and 71 deletions
--- a/doc/source/admin/identity-performance.rst
+++ b/doc/source/admin/identity-performance.rst
@ -25,20 +25,6 @@ With that said, there are many opportunities for tuning the performance of
 Keystone, many of which are actually trade-offs between performance and
 security that you need to judge for yourself, and tune accordingly.

-Pruning expired tokens from backend storage
-===========================================
-
-Using a persistent token format will result in an ever-growing backend store.
-Keystone will not remove, or prune, tokens from the backend even after they are
-expired. This can be managed manually using ``keystone-manage token_flush``,
-which will purge expired tokens from the data store in batches. Diligently
-pruning expired tokens will prevent token bloat.
-
-.. note::
-
-    This optimization is not necessary for deployments leveraging Fernet
-    tokens, which are non-persistent in nature.
-
 Keystone configuration options that affect performance
 ======================================================

--- a/doc/source/admin/identity-troubleshoot.rst
+++ b/doc/source/admin/identity-troubleshoot.rst
@ -145,24 +145,3 @@ If your certificates are fetched on demand, the PKI validation is
 working properly. Most likely, the token from Identity is not valid for
 the operation you are attempting to perform, and your user needs a
 different role for the operation.
-
-
-Flush expired tokens from the token database table
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Problem
-------
-
-As you generate tokens, the token database table on the Identity server
-grows.
-
-Solution
--------
-
-To clear the token table, an administrative user must run the
-:command:`keystone-manage token_flush` command to flush the tokens. When you
-flush tokens, expired tokens are deleted and traceability is eliminated.
-
-Use ``cron`` to schedule this command to run frequently based on your
-workload. For large workloads, running it every minute is recommended.
-
--- a/doc/source/cli/commands.rst
+++ b/doc/source/cli/commands.rst
@ -21,5 +21,4 @@ Available commands:
 * ``mapping_purge``: Purge the identity mapping table.
 * ``mapping_engine``: Test your federation mapping rules.
 * ``saml_idp_metadata``: Generate identity provider metadata.
-* ``token_flush``: Purge expired tokens.
 * ``trust_flush``: Purge expired trusts.
--- a/keystone/cmd/cli.py
+++ b/keystone/cmd/cli.py
@ -658,23 +658,6 @@ class CredentialMigrate(BasePermissionsSetup):
        klass.migrate_credentials()


-class TokenFlush(BaseApp):
-    """Flush expired tokens from the backend."""
-
-    name = 'token_flush'
-
-    @classmethod
-    def main(cls):
-        LOG.warning(
-            'This command is deprecated and no longer needed with the '
-            'development of non-persistent token formats. It will be removed '
-            'in Stein. It is recommended that you remove usage of this '
-            'command or integrate it\'s functionality into a separate tool if '
-            'you are using an out-of-tree provider that relies on persistent '
-            'token storage.'
-        )
-
-
 class TrustFlush(BaseApp):
    """Flush expired and non-expired soft deleted trusts from the backend."""

@ -1185,7 +1168,6 @@ CMDS = [
    MappingPurge,
    MappingEngineTester,
    SamlIdentityProviderMetadata,
-    TokenFlush,
    TokenRotate,
    TokenSetup,
    TrustFlush
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -1631,23 +1631,6 @@ class TestGroupMappingPurgeFunctional(unit.SQLDriverOverrides, unit.TestCase):
            )


-class TestTokenFlush(unit.TestCase):
-
-    def test_token_flush_emits_warning(self):
-        expected_msg = (
-            'This command is deprecated and no longer needed with the '
-            'development of non-persistent token formats. It will be removed '
-            'in Stein. It is recommended that you remove usage of this '
-            'command or integrate it\'s functionality into a separate tool if '
-            'you are using an out-of-tree provider that relies on persistent '
-            'token storage.'
-        )
-        logging = self.useFixture(fixtures.FakeLogger())
-        tf = cli.TokenFlush()
-        tf.main()
-        self.assertThat(logging.output, matchers.Contains(expected_msg))
-
-
 class TestTrustFlush(unit.SQLDriverOverrides, unit.BaseTestCase):

    class FakeConfCommand(object):
--- a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml
+++ b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml
@ -4,3 +4,6 @@ other:
    [`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
    The options ``member_role_id`` and ``member_role_name`` which were
    deprecated in Queens and only used for V2 are removed now.
+  - >
+    [`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
+    The deprecated token_flush is removed now.