Caching Layer

The caching layer is designed to be applied to any manager object within Keystone via the use of keystone.common.cache module. This leverages oslo.cache caching system to provide a flexible caching backend.

The caching can be setup for all or some subsystems. It is recommended that each of the managers have an independent toggle within the config file to enable caching. The easiest method to utilize the toggle within the configuration file is to define a caching boolean option within that manager’s configuration section (e.g. identity). Enable the global cache enabled option as well as the specific manager’s caching enable toggle in order to cache that subsystem.

The oslo.cache is simple and easy to adopt by any system. See the usage guide of it. There are various cache backends supported by it. Example use of oslo.cache in keystone (in this example, token is the manager):

from keystone.common import cache

TOKENS_REGION = cache.create_region(name='tokens')
MEMOIZE_TOKENS = cache.get_memoization_decorator(

def _validate_token(self, token_id):
    return token

With the above example, each call to the cacheable_function would check to see if the arguments passed to it matched a currently valid cached item. If the return value was cached, the caching layer would return the cached value; if the return value was not cached, the caching layer would call the function, pass the value to the MEMOIZE_TOKEN decorator, which would then determine if caching was globally enabled and enabled for the token manager. If either caching toggle is disabled, the value is returned but not cached.

It is recommended that each of the managers have an independent configurable time-to-live (TTL). The option cache_time is to be set for every manager under its section in keystone.conf file. If the cache_time is set to None, the expiration time will be set to the global default expiration_time option in the [cache] configuration section. These options are passed to and handled by oslo.cache.

Cache invalidation can be done if specific cache entries are changed. Example of invalidating a cache (in this example, token is the manager):

def invalidate_individual_token_cache(self, token_id):
    self._validate_token.invalidate(self, token_id)

For cache invalidation, there is an invalidate method (attribute) on the decorated function. To invalidate the cache, pass the same arguments to the invalidate method as you would the normal function. This means you need to pass self as the first argument.