yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => havana-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1171985

Title:
  Token List in Memcache can consume an entire memcache page

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The token list and revocation lists in the memcache token driver can
  hit the limit of a given memcache page.  This can occur if a user
  continually issues tokens and does not let the list page(s) expire out
  of the memcache server.  The revocation page, in theory, would never
  expire out of the memcache server if there was any consistent amount
  of revocations occurring.

  Typically this will occur if the token count reaches somewhere in the
  31,700 range using the 1MB default page size.  While this is a fairly
  sizable number, the issue lies in that the memcache token driver does
  not have any logic to expire out tokens from either the revocation
  list or the active token list (with the exception of a delete, which
  moves the token from "active" to "revocation").  This means that there
  is the potential that any given user could exceed the size of these
  two lists over an extended period of time (or even a short period of
  time if an account issues/revokes a large quantity of tokens
  consistently).

  The revocation list appears to be more sensitive to this effect since
  it looks to hold the entire token contents instead of just the ID.

  When this event occurs, the result will be that no further tokens can
  be issued (for a given user/tenant combination) or no further tokens
  can be added to the revocation list.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1171985/+subscriptions