8eb29c37d1
Keystone's performance degrades as the `revocation_event` table grows in size. This patch reduces the total number of events written to the table by not persisting events when a domain or project is disabled. The main reason for persisting a revocation event when a project or domain is disabled is to make sure tokens associated to those targets are considered invalid. Instead of relying on revocation events, we can check if the project or domain is enabled when we validate the token. We take the same approach when we validate a user's role assignments instead of relying on an ever-growing database table. Co-Authored-By: Lance Bragstad <lbragstad@gmail.com> Closes-Bug: 1524030 Change-Id: I76330567e0df2d9f2af88ef9b6b98b8c379e7406
11 lines
492 B
YAML
11 lines
492 B
YAML
---
|
|
fixes:
|
|
- |
|
|
[`bug 1524030 <https://bugs.launchpad.net/keystone/+bug/1524030>`_]
|
|
Revocation records are no longer written to the ``revocation_event`` table
|
|
when a domain or project is disabled. These records were only ever used
|
|
during the token validation process. In favor of revocation events, the
|
|
project or domain will be validated online when the token is validated. This
|
|
results in less database bloat while maintaining security during token
|
|
validation.
|