Externalize Keystone secret key cache TTL

The Keystone secret key TTL is hardcoded to 300 seconds (5 minutes).
For some use cases, the TTL could be increased, and as a consequence, the number of requests to Keystone is reduced.

Therefore, we propose to externalize the configuration as an option that provides this flexibility to operators. The default is maintained as 300 seconds (5 minutes).

Signed-off-by: Rafael Weingärtner <rafael@apache.org>

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index 5b9730f8761b5b48dc3fec545ecd402be2569f11..bc077f1f121745c63e3475b29227293e2351404c 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -844,6 +844,16 @@ options:
   services:
   - rgw
   with_legacy: true
+- name: rgw_keystone_token_cache_ttl
+  type: int
+  level: advanced
+  desc: Keystone token secret key cache TTL
+  long_desc: The TTL for secret keys that are loaded from Keystone and stored in the cache system.
+  fmt_desc: The maximum TTL that a secret loaded from Keystone is maintained in the token cache system.
+  default: 300
+  services:
+  - rgw
+  with_legacy: true
 - name: rgw_keystone_verify_ssl
   type: bool
   level: advanced

diff --git a/src/rgw/rgw_auth_keystone.h b/src/rgw/rgw_auth_keystone.h
index de8f98c6c5a65a9b7d47492657ac158a0726f798..d4b99b7effeb3218c2c657065fda88043f8cf149 100644 (file)
--- a/src/rgw/rgw_auth_keystone.h
+++ b/src/rgw/rgw_auth_keystone.h
@@ -102,7 +102,7 @@ class SecretCache {
     : cct(g_ceph_context),
       lock(),
       max(cct->_conf->rgw_keystone_token_cache_size),
-      s3_token_expiry_length(300, 0) {
+      s3_token_expiry_length(cct->_conf->rgw_keystone_token_cache_ttl, 0) {
   }
 
   ~SecretCache() {}