openstack
/
keystone
Code Issues Proposed changes

reduce default token duration to one hour 

- reduces number of active tokens that have to be persisted, especially
  where clients are needlessly regenerating tokens
- reduces the window of publishing token revocation events (you only
  have to publish events from the last hour)
- reduces the window of the token revocation list (similar to the above)

DocImpact
UpgradeImpact

Implements: bp reduce-default-token-duration
Change-Id: Ia548f7e981690edab56c51fdcab9102245aced3e
This commit is contained in:
Dolph Mathews 2014-01-13 16:17:32 -06:00
parent 83db9722c2
commit 7494f93dc3
4 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/keystone.conf.sample
View File

@ -256,7 +256,7 @@
# provider = # provider =
# Amount of time a token should remain valid (in seconds) # Amount of time a token should remain valid (in seconds)
# expiration = 86400 # expiration = 3600
# External auth mechanisms that should add bind information to token. # External auth mechanisms that should add bind information to token.
# eg kerberos, x509 # eg kerberos, x509

2
keystone/common/config.py
View File

@ -69,7 +69,7 @@ FILE_OPTIONS = {
'token': [ 'token': [
cfg.ListOpt('bind', default=[]), cfg.ListOpt('bind', default=[]),
cfg.StrOpt('enforce_token_bind', default='permissive'), cfg.StrOpt('enforce_token_bind', default='permissive'),
cfg.IntOpt('expiration', default=86400), cfg.IntOpt('expiration', default=3600),
cfg.StrOpt('provider', default=None), cfg.StrOpt('provider', default=None),
cfg.StrOpt('driver', cfg.StrOpt('driver',
default='keystone.token.backends.sql.Token'), default='keystone.token.backends.sql.Token'),

2
keystone/tests/test_backend_memcache.py
View File

@ -149,7 +149,7 @@ class MemcacheToken(tests.TestCase, test_backend.TokenTests):
expired_token_id = uuid.uuid4().hex expired_token_id = uuid.uuid4().hex
user_id = unicode(uuid.uuid4().hex) user_id = unicode(uuid.uuid4().hex)
expire_delta = datetime.timedelta(seconds=86400) expire_delta = datetime.timedelta(seconds=CONF.token.expiration)
valid_data = {'id': valid_token_id, 'a': 'b', valid_data = {'id': valid_token_id, 'a': 'b',
'user': {'id': user_id}} 'user': {'id': user_id}}

5
keystone/tests/test_token_provider.py
View File

@ -16,6 +16,7 @@
import datetime import datetime
from keystone import config
from keystone import exception from keystone import exception
from keystone.openstack.common import timeutils from keystone.openstack.common import timeutils
from keystone import tests from keystone import tests
@ -23,7 +24,9 @@ from keystone.tests import default_fixtures
from keystone import token from keystone import token
FUTURE_DELTA = datetime.timedelta(seconds=86400) CONF = config.CONF
FUTURE_DELTA = datetime.timedelta(seconds=CONF.token.expiration)
CURRENT_DATE = timeutils.utcnow() CURRENT_DATE = timeutils.utcnow()
SAMPLE_V2_TOKEN = { SAMPLE_V2_TOKEN = {