From f1aa4866c1d0624576a8b2756bfec36e884805ad Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Fri, 22 Jan 2016 10:32:42 -0600 Subject: [PATCH] Deprecate in-process cache For a long time now if you don't configure memcache then auth_token middleware would cache the tokens in process memory. This is not the job of auth_token middleware. If you need to cache you should configure memcache otherwise auth_token will authenticate with keystone for every token request. As such, this feature is deprecated and may be removed in the 5.0.0 release or the "O" development cycle (whichever is later). Change-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a --- keystonemiddleware/auth_token/_cache.py | 16 +++++++++++++--- ...ing-tokens-in-process-a412b0f1dea84cb9.yaml | 18 ++++++++++++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/deprecate-caching-tokens-in-process-a412b0f1dea84cb9.yaml diff --git a/keystonemiddleware/auth_token/_cache.py b/keystonemiddleware/auth_token/_cache.py index c52377a..9cd5b00 100644 --- a/keystonemiddleware/auth_token/_cache.py +++ b/keystonemiddleware/auth_token/_cache.py @@ -19,7 +19,7 @@ import six from keystonemiddleware.auth_token import _exceptions as exc from keystonemiddleware.auth_token import _memcache_crypt as memcache_crypt from keystonemiddleware.auth_token import _memcache_pool as memcache_pool -from keystonemiddleware.i18n import _, _LE +from keystonemiddleware.i18n import _, _LE, _LW from keystonemiddleware.openstack.common import memorycache @@ -54,8 +54,18 @@ class _EnvCachePool(object): class _CachePool(list): """A lazy pool of cache references.""" - def __init__(self, memcached_servers): + def __init__(self, memcached_servers, log): self._memcached_servers = memcached_servers + if not self._memcached_servers: + log.warning(_LW( + "Using the in-process token cache is deprecated as of the " + "4.2.0 release and may be removed in the 5.0.0 release or " + "the 'O' development cycle. The in-process cache causes " + "inconsistent results and high memory usage. When the feature " + "is removed the auth_token middleware will not cache tokens " + "by default which may result in performance issues. It is " + "recommended to use memcache for the auth_token token cache " + "by setting the memcached_servers option.")) @contextlib.contextmanager def reserve(self): @@ -125,7 +135,7 @@ class TokenCache(object): **self._memcache_pool_options) else: - return _CachePool(self._memcached_servers) + return _CachePool(self._memcached_servers, self._LOG) def initialize(self, env): if self._initialized: diff --git a/releasenotes/notes/deprecate-caching-tokens-in-process-a412b0f1dea84cb9.yaml b/releasenotes/notes/deprecate-caching-tokens-in-process-a412b0f1dea84cb9.yaml new file mode 100644 index 0000000..6712ffe --- /dev/null +++ b/releasenotes/notes/deprecate-caching-tokens-in-process-a412b0f1dea84cb9.yaml @@ -0,0 +1,18 @@ +--- +deprecations: + - > + With the release of 4.2.0 of keystonemiddleware we no longer recommend + using the in-process token cache. In-process caching may result in + inconsistent validation, poor UX and race conditions. + + It is recommended that the `memcached_servers` option is set in the + `keystone_authtoken` configuration section of the various services (e.g. + nova, glance, ...) with the endpoint of running memcached server(s). + + When the feature is removed, not setting the `memcached_servers` + option will cause keystone to validate tokens more frequently, increasing + load. In production, use of caching is highly recommended. + + This feature is deprecated as of 4.2.0 and is targeted for removal in + keystonemiddleware 5.0.0 or in the `O` development cycle, whichever is + later.