Remove deprecated token_flush
This patch removes the deprecated token_flush in stein release of openstack. Change-Id: Ifc6d162923072d657fd5c163b94ffcd88dc80692 Implements: bp removed-as-of-stein
This commit is contained in:
parent
8e33c78232
commit
48dcdb5ad3
|
@ -25,20 +25,6 @@ With that said, there are many opportunities for tuning the performance of
|
||||||
Keystone, many of which are actually trade-offs between performance and
|
Keystone, many of which are actually trade-offs between performance and
|
||||||
security that you need to judge for yourself, and tune accordingly.
|
security that you need to judge for yourself, and tune accordingly.
|
||||||
|
|
||||||
Pruning expired tokens from backend storage
|
|
||||||
===========================================
|
|
||||||
|
|
||||||
Using a persistent token format will result in an ever-growing backend store.
|
|
||||||
Keystone will not remove, or prune, tokens from the backend even after they are
|
|
||||||
expired. This can be managed manually using ``keystone-manage token_flush``,
|
|
||||||
which will purge expired tokens from the data store in batches. Diligently
|
|
||||||
pruning expired tokens will prevent token bloat.
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
This optimization is not necessary for deployments leveraging Fernet
|
|
||||||
tokens, which are non-persistent in nature.
|
|
||||||
|
|
||||||
Keystone configuration options that affect performance
|
Keystone configuration options that affect performance
|
||||||
======================================================
|
======================================================
|
||||||
|
|
||||||
|
|
|
@ -145,24 +145,3 @@ If your certificates are fetched on demand, the PKI validation is
|
||||||
working properly. Most likely, the token from Identity is not valid for
|
working properly. Most likely, the token from Identity is not valid for
|
||||||
the operation you are attempting to perform, and your user needs a
|
the operation you are attempting to perform, and your user needs a
|
||||||
different role for the operation.
|
different role for the operation.
|
||||||
|
|
||||||
|
|
||||||
Flush expired tokens from the token database table
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
Problem
|
|
||||||
-------
|
|
||||||
|
|
||||||
As you generate tokens, the token database table on the Identity server
|
|
||||||
grows.
|
|
||||||
|
|
||||||
Solution
|
|
||||||
--------
|
|
||||||
|
|
||||||
To clear the token table, an administrative user must run the
|
|
||||||
:command:`keystone-manage token_flush` command to flush the tokens. When you
|
|
||||||
flush tokens, expired tokens are deleted and traceability is eliminated.
|
|
||||||
|
|
||||||
Use ``cron`` to schedule this command to run frequently based on your
|
|
||||||
workload. For large workloads, running it every minute is recommended.
|
|
||||||
|
|
||||||
|
|
|
@ -21,5 +21,4 @@ Available commands:
|
||||||
* ``mapping_purge``: Purge the identity mapping table.
|
* ``mapping_purge``: Purge the identity mapping table.
|
||||||
* ``mapping_engine``: Test your federation mapping rules.
|
* ``mapping_engine``: Test your federation mapping rules.
|
||||||
* ``saml_idp_metadata``: Generate identity provider metadata.
|
* ``saml_idp_metadata``: Generate identity provider metadata.
|
||||||
* ``token_flush``: Purge expired tokens.
|
|
||||||
* ``trust_flush``: Purge expired trusts.
|
* ``trust_flush``: Purge expired trusts.
|
|
@ -658,23 +658,6 @@ class CredentialMigrate(BasePermissionsSetup):
|
||||||
klass.migrate_credentials()
|
klass.migrate_credentials()
|
||||||
|
|
||||||
|
|
||||||
class TokenFlush(BaseApp):
|
|
||||||
"""Flush expired tokens from the backend."""
|
|
||||||
|
|
||||||
name = 'token_flush'
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def main(cls):
|
|
||||||
LOG.warning(
|
|
||||||
'This command is deprecated and no longer needed with the '
|
|
||||||
'development of non-persistent token formats. It will be removed '
|
|
||||||
'in Stein. It is recommended that you remove usage of this '
|
|
||||||
'command or integrate it\'s functionality into a separate tool if '
|
|
||||||
'you are using an out-of-tree provider that relies on persistent '
|
|
||||||
'token storage.'
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class TrustFlush(BaseApp):
|
class TrustFlush(BaseApp):
|
||||||
"""Flush expired and non-expired soft deleted trusts from the backend."""
|
"""Flush expired and non-expired soft deleted trusts from the backend."""
|
||||||
|
|
||||||
|
@ -1185,7 +1168,6 @@ CMDS = [
|
||||||
MappingPurge,
|
MappingPurge,
|
||||||
MappingEngineTester,
|
MappingEngineTester,
|
||||||
SamlIdentityProviderMetadata,
|
SamlIdentityProviderMetadata,
|
||||||
TokenFlush,
|
|
||||||
TokenRotate,
|
TokenRotate,
|
||||||
TokenSetup,
|
TokenSetup,
|
||||||
TrustFlush
|
TrustFlush
|
||||||
|
|
|
@ -1631,23 +1631,6 @@ class TestGroupMappingPurgeFunctional(unit.SQLDriverOverrides, unit.TestCase):
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
class TestTokenFlush(unit.TestCase):
|
|
||||||
|
|
||||||
def test_token_flush_emits_warning(self):
|
|
||||||
expected_msg = (
|
|
||||||
'This command is deprecated and no longer needed with the '
|
|
||||||
'development of non-persistent token formats. It will be removed '
|
|
||||||
'in Stein. It is recommended that you remove usage of this '
|
|
||||||
'command or integrate it\'s functionality into a separate tool if '
|
|
||||||
'you are using an out-of-tree provider that relies on persistent '
|
|
||||||
'token storage.'
|
|
||||||
)
|
|
||||||
logging = self.useFixture(fixtures.FakeLogger())
|
|
||||||
tf = cli.TokenFlush()
|
|
||||||
tf.main()
|
|
||||||
self.assertThat(logging.output, matchers.Contains(expected_msg))
|
|
||||||
|
|
||||||
|
|
||||||
class TestTrustFlush(unit.SQLDriverOverrides, unit.BaseTestCase):
|
class TestTrustFlush(unit.SQLDriverOverrides, unit.BaseTestCase):
|
||||||
|
|
||||||
class FakeConfCommand(object):
|
class FakeConfCommand(object):
|
||||||
|
|
|
@ -4,3 +4,6 @@ other:
|
||||||
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
|
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
|
||||||
The options ``member_role_id`` and ``member_role_name`` which were
|
The options ``member_role_id`` and ``member_role_name`` which were
|
||||||
deprecated in Queens and only used for V2 are removed now.
|
deprecated in Queens and only used for V2 are removed now.
|
||||||
|
- >
|
||||||
|
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
|
||||||
|
The deprecated token_flush is removed now.
|
Loading…
Reference in New Issue