OpenStack Identity supports a caching layer that is above the
configurable subsystems (for example, token). OpenStack Identity uses the
library which allows flexible cache back ends. The majority of the
caching configuration options are set in the
[cache] section of the
/etc/keystone/keystone.conf file. However, each section that has
the capability to be cached usually has a caching boolean value that
So to enable only the token back end caching, set the values as follows:
[cache] enabled=true [catalog] caching=false [domain_config] caching=false [federation] caching=false [resource] caching=false [revoke] caching=false [role] caching=false [token] caching=true
Since the Newton release, the default setting is enabled for subsystem caching and the global toggle. As a result, all subsystems that support caching are doing this by default.
All types of tokens benefit from caching, including Fernet tokens. Although Fernet tokens do not need to be persisted, they should still be cached for optimal token validation performance.
The token system has a separate
cache_time configuration option,
that can be set to a value above or below the global
default, allowing for different caching behavior from the other systems
in OpenStack Identity. This option is set in the
[token] section of
the configuration file.
The token revocation list cache time is handled by the configuration
revocation_cache_time in the
[token] section. The
revocation list is refreshed whenever a token is revoked. It typically
sees significantly more requests than specific token retrievals or token
Here is a list of actions that are affected by the cached time: getting a new token, revoking tokens, validating tokens, checking v2 tokens, and checking v3 tokens.
The delete token API calls invalidate the cache for the tokens being acted upon, as well as invalidating the cache for the revoked token list and the validate/check token calls.
Token caching is configurable independently of the
caching. Lifted expiration checks from the token drivers to the token
manager. This ensures that cached tokens will still raise a
TokenNotFound flag when expired.
For cache consistency, all token IDs are transformed into the short token hash at the provider and token driver level. Some methods have access to the full ID (PKI Tokens), and some methods do not. Cache invalidation is inconsistent without token ID normalization.
Various other keystone components have a separate
option, that can be set to a value above or below the global
expiration_time default, allowing for different caching behavior
from the other systems in Identity service. This option can be set in various
sections (for example,
[resource]) of the configuration
The create, update, and delete actions for domains, projects and roles
will perform proper invalidations of the cached methods listed above.
For more information about the different back ends (and configuration options), see:
The following example shows how to configure the memcached back end:
[cache] enabled = true backend = dogpile.cache.memcached backend_argument = url:127.0.0.1:11211
You need to specify the URL to reach the
memcached instance with the