CODEWITHSUNDEEP
cachingredistokenkeystone
Sinka Lee
Sinka Lee

Reputation: 163

using Redis in Openstack Keystone, some Rubbish in redis

Recently, I'm using Redis to cache token for OpenStack Keystone. The function is fine, but some expired cache data still in Redis.

my Keystone config:

[cache]
enabled=true
backend=dogpile.cache.redis
backend_argument=url:redis://127.0.0.1:6379

[token]
provider = uuid
caching=true  
cache_time= 3600
driver = kvs
expiration = 3600

but some expired data in Redis: Data was over expiration time, but still in here, because the TTL is -1.

My question:

  1. How can I change settings to stop this rubbish data created?
  2. Is some gracefully way to clean it up?
    • I was trying to use command 'keystone-manage token_flush', but after reading code, I realized this command just clean up the expired tokens in Mysql

Upvotes: 1

Views: 1008

Answers (1)

SapManTM
SapManTM

Reputation: 136

I hope this question still relevant.

I'm trying to do the same thing as you are, and for now the only option I found working is the argument on dogpile.cache.redis: redis_expiration_time. Checkout the backend dogpile.redis API or source code. http://dogpilecache.readthedocs.io/en/latest/api.html#dogpile.cache.backends.redis.RedisBackend.params.redis_expiration_time

The only problem with this argument is that it does not let you choose a different TTL for different categories, for example you want tokens for 10 minutes and catalog for 24 hours or so. The other parameters on keystone.conf just don't work from my experience (expiration_time and cache_time on each category)... Anyway this problem isn't relevant if you are using redis to store only keystone tokens.

[cache] 
enabled=true
backend=dogpile.cache.redis
backend_argument=url:redis://127.0.0.1:6379
// Add this line
backend_argument=redis_expiration_time:[TTL]

Just replace the [TTL] with your wanted ttl and you'll start noticing keys with ttl in redis and after a while you will see that they are no more.

about the second question:

This is maybe not the best answer you'll see, but you can use OBJECT idletime [key] command on redis-cli to see how much time the specific key wasn't used (even GET reset idletime). You can delete the keys that have bigger idletime than your token revocation using a simple script.

Remember that the data on Redis isn't persistent data, meaning you can always use FLUSHALL and your OpenStack and keystone will work as usual, but ofc the first authentications will take longer.

Upvotes: 1

Related Questions