Merge "Add cron job to periodically flush expired tokens"

doc/install-guide/section_keystone-install.xml

@@ -207,5 +207,28 @@ admin_token = ADMIN_TOKEN
       <screen os="rhel;fedora;centos;sles;opensuse"><prompt>#</prompt> <userinput>service openstack-keystone start</userinput>
 <prompt>#</prompt> <userinput>chkconfig openstack-keystone on</userinput></screen>
     </step>
+    <step>
+      <para>By default, the Identity Service stores expired tokens in
+        the database indefinitely. While potentially useful for auditing
+        in production environments, the accumulation of expired tokens
+        will considerably increase database size and may decrease
+        service performance, particularly in test environments with
+        limited resources. We recommend configuring a periodic task using
+        <systemitem class="service">cron</systemitem> to purge expired
+        tokens hourly.</para>
+      <substeps>
+        <step>
+          <para>Edit the crontab for the root user:</para>
+          <screen><prompt>#</prompt> <userinput>crontab -e</userinput></screen>
+        </step>
+        <step>
+          <para>Add the following line to purge expired tokens every
+            hour and log the output to
+            <filename>/var/log/keystone/keystone-tokenflush.log</filename>:
+          </para>
+          <programlisting>@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&amp;1</programlisting>
+        </step>
+      </substeps>
+    </step>
   </procedure>
 </section>