From 51d447b774858e6738a41f7029d8275e6c4eb1c2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafael=20Weing=C3=A4rtner?= Date: Wed, 5 Jan 2022 12:57:51 -0300 Subject: [PATCH] Externalize Keystone secret key cache TTL MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The Keystone secret key TTL is hardcoded to 300 seconds (5 minutes). For some use cases, the TTL could be increased, and as a consequence, the number of requests to Keystone is reduced. Therefore, we propose to externalize the configuration as an option that provides this flexibility to operators. The default is maintained as 300 seconds (5 minutes). Signed-off-by: Rafael Weingärtner --- src/common/options/rgw.yaml.in | 10 ++++++++++ src/rgw/rgw_auth_keystone.h | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index 5b9730f8761b5..bc077f1f12174 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -844,6 +844,16 @@ options: services: - rgw with_legacy: true +- name: rgw_keystone_token_cache_ttl + type: int + level: advanced + desc: Keystone token secret key cache TTL + long_desc: The TTL for secret keys that are loaded from Keystone and stored in the cache system. + fmt_desc: The maximum TTL that a secret loaded from Keystone is maintained in the token cache system. + default: 300 + services: + - rgw + with_legacy: true - name: rgw_keystone_verify_ssl type: bool level: advanced diff --git a/src/rgw/rgw_auth_keystone.h b/src/rgw/rgw_auth_keystone.h index de8f98c6c5a65..d4b99b7effeb3 100644 --- a/src/rgw/rgw_auth_keystone.h +++ b/src/rgw/rgw_auth_keystone.h @@ -102,7 +102,7 @@ class SecretCache { : cct(g_ceph_context), lock(), max(cct->_conf->rgw_keystone_token_cache_size), - s3_token_expiry_length(300, 0) { + s3_token_expiry_length(cct->_conf->rgw_keystone_token_cache_ttl, 0) { } ~SecretCache() {} -- 2.39.5