From 0967f6ec4eacf69a5cee9b7582daed973e1dded4 Mon Sep 17 00:00:00 2001
From: Rodrigo Barbieri <rodrigo.barbieri2010@gmail.com>
Date: Tue, 19 Mar 2024 14:32:46 -0300
Subject: [PATCH] Add cache_time for identity

This patch adds a config option to allow
configuring the cache_time for identity elements.

It is also including a complementary fix for
change I49e46e010c543f831959581b2122f59068f2c07b
that missed adjusting the correct template, and
used the wrong comparison "is not None".

Closes-bug: #2054418
Related-bug: #1771114
Change-Id: I57d376eb6c1f0f38cdd028aacf397aaf7f3a1cda
---
 config.yaml                    | 10 ++++++++++
 hooks/keystone_context.py      |  3 +++
 templates/queens/keystone.conf |  5 -----
 templates/rocky/keystone.conf  |  8 ++++++++
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/config.yaml b/config.yaml
index 2c2a6f71..c6f1d484 100644
--- a/config.yaml
+++ b/config.yaml
@@ -107,6 +107,16 @@ options:
     type: int
     default: 60
     description: Amount of time (in seconds) the catalog should be cached for.
+  identity-cache-expiration:
+    type: int
+    default:
+    description: |
+      Amount of time (in seconds) user identity information should be cached
+      for. This impacts user information such as email and description, which
+      could display stale information from cache after being updated. Reducing
+      cache_time means more database queries so if an impact is perceived
+      this value should be increased. If unspecified, the default value of
+      600 is used.
   role-cache-expiration:
     type: int
     default:
diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py
index 00d2152e..f0fb6be9 100644
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@@ -216,6 +216,9 @@ class KeystoneContext(context.OSContextGenerator):
         ctxt['catalog_cache_expiration'] = config('catalog-cache-expiration')
         if config('role-cache-expiration') is not None:
             ctxt['role_cache_expiration'] = config('role-cache-expiration')
+        if config('identity-cache-expiration') is not None:
+            ctxt['identity_cache_expiration'] = config(
+                'identity-cache-expiration')
 
         ctxt['dogpile_cache_expiration'] = config('dogpile-cache-expiration')
 
diff --git a/templates/queens/keystone.conf b/templates/queens/keystone.conf
index d61501c3..1d828509 100644
--- a/templates/queens/keystone.conf
+++ b/templates/queens/keystone.conf
@@ -42,11 +42,6 @@ driver = sql
 cache_time = {{ catalog_cache_expiration }}
 driver = sql
 
-{% if role_cache_expiration is not None -%}
-[role]
-cache_time = {{ role_cache_expiration }}
-{% endif -%}
-
 [endpoint_filter]
 
 [token]
diff --git a/templates/rocky/keystone.conf b/templates/rocky/keystone.conf
index 1a716fd6..263f6f3d 100644
--- a/templates/rocky/keystone.conf
+++ b/templates/rocky/keystone.conf
@@ -20,6 +20,9 @@ connection_recycle_time = 200
 
 [identity]
 driver = {{ identity_backend }}
+{% if identity_cache_expiration -%}
+cache_time = {{ identity_cache_expiration }}
+{% endif -%}
 {% if default_domain_id -%}
 default_domain_id = {{ default_domain_id }}
 {% endif -%}
@@ -40,6 +43,11 @@ driver = sql
 cache_time = {{ catalog_cache_expiration }}
 driver = sql
 
+{% if role_cache_expiration -%}
+[role]
+cache_time = {{ role_cache_expiration }}
+{% endif -%}
+
 [endpoint_filter]
 
 [token]