Make role-cache-expiration configurable

We use a default expiration_time (dogpile-expiration-time) of 600s which means that role assignments will take up to this amount of time before all caches are updated to reflect changes. This may not be suitable for some clouds that make frequent changes to role assignments and lowering the global value is not recommended so this overrides the [role] cache_time to a more appropriate value and also makes it configurable. We leave default value as None so that the global value is still inherited but this at least allows it to be customised. Change-Id: I49e46e010c543f831959581b2122f59068f2c07b Closes-Bug: #1771114
2023-06-07 14:14:14 +01:00 · 2023-06-07 14:14:14 +01:00 · 0cb787bb9d
parent 23e2642b41
commit 0cb787bb9d
3 changed files with 18 additions and 0 deletions
--- a/config.yaml
+++ b/config.yaml
@ -107,6 +107,16 @@ options:
    type: int
    default: 60
    description: Amount of time (in seconds) the catalog should be cached for.
+  role-cache-expiration:
+    type: int
+    default:
+    description: |
+      Amount of time (in seconds) role assignments should be cached for.
+      Relying on the global expiration_time can cause applications that
+      frequently add/remove role assignments to become slow or fail
+      since assignment changes will take up to expiration_time to sync
+      across all caches. Reducing cache_time means more database queries
+      so if an impact is perceived this value should be increased.
  dogpile-cache-expiration:
    type: int
    default: 600
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@ -214,6 +214,9 @@ class KeystoneContext(context.OSContextGenerator):
        ctxt['verbose'] = config('verbose')
        ctxt['token_expiration'] = config('token-expiration')
        ctxt['catalog_cache_expiration'] = config('catalog-cache-expiration')
+        if config('role-cache-expiration') is not None:
+            ctxt['role_cache_expiration'] = config('role-cache-expiration')
+
        ctxt['dogpile_cache_expiration'] = config('dogpile-cache-expiration')

        ctxt['identity_backend'] = config('identity-backend')
--- a/templates/queens/keystone.conf
+++ b/templates/queens/keystone.conf
@ -42,6 +42,11 @@ driver = sql
 cache_time = {{ catalog_cache_expiration }}
 driver = sql

+{% if role_cache_expiration is not None -%}
+[role]
+cache_time = {{ role_cache_expiration }}
+{% endif -%}
+
 [endpoint_filter]

 [token]