Remove deprecated token_flush

This patch removes the deprecated token_flush in stein release of openstack. Change-Id: Ifc6d162923072d657fd5c163b94ffcd88dc80692 Implements: bp removed-as-of-stein
openstack · Oct 17, 2018 · 48dcdb5 · 48dcdb5
1 parent 8e33c78
commit 48dcdb5
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 71 deletions.
diff --git a/doc/source/admin/identity-performance.rst b/doc/source/admin/identity-performance.rst
@@ -25,20 +25,6 @@ With that said, there are many opportunities for tuning the performance of
 Keystone, many of which are actually trade-offs between performance and
 security that you need to judge for yourself, and tune accordingly.
 
-Pruning expired tokens from backend storage
-===========================================
-
-Using a persistent token format will result in an ever-growing backend store.
-Keystone will not remove, or prune, tokens from the backend even after they are
-expired. This can be managed manually using ``keystone-manage token_flush``,
-which will purge expired tokens from the data store in batches. Diligently
-pruning expired tokens will prevent token bloat.
-
-.. note::
-
-    This optimization is not necessary for deployments leveraging Fernet
-    tokens, which are non-persistent in nature.
-
 Keystone configuration options that affect performance
 ======================================================
 

diff --git a/doc/source/admin/identity-troubleshoot.rst b/doc/source/admin/identity-troubleshoot.rst
@@ -145,24 +145,3 @@ If your certificates are fetched on demand, the PKI validation is
 working properly. Most likely, the token from Identity is not valid for
 the operation you are attempting to perform, and your user needs a
 different role for the operation.
-
-
-Flush expired tokens from the token database table
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Problem
--------
-
-As you generate tokens, the token database table on the Identity server
-grows.
-
-Solution
---------
-
-To clear the token table, an administrative user must run the
-:command:`keystone-manage token_flush` command to flush the tokens. When you
-flush tokens, expired tokens are deleted and traceability is eliminated.
-
-Use ``cron`` to schedule this command to run frequently based on your
-workload. For large workloads, running it every minute is recommended.
-
diff --git a/doc/source/cli/commands.rst b/doc/source/cli/commands.rst
@@ -21,5 +21,4 @@ Available commands:
 * ``mapping_purge``: Purge the identity mapping table.
 * ``mapping_engine``: Test your federation mapping rules.
 * ``saml_idp_metadata``: Generate identity provider metadata.
-* ``token_flush``: Purge expired tokens.
 * ``trust_flush``: Purge expired trusts.
diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py
@@ -658,23 +658,6 @@ def main(cls):
         klass.migrate_credentials()
 
 
-class TokenFlush(BaseApp):
-    """Flush expired tokens from the backend."""
-
-    name = 'token_flush'
-
-    @classmethod
-    def main(cls):
-        LOG.warning(
-            'This command is deprecated and no longer needed with the '
-            'development of non-persistent token formats. It will be removed '
-            'in Stein. It is recommended that you remove usage of this '
-            'command or integrate it\'s functionality into a separate tool if '
-            'you are using an out-of-tree provider that relies on persistent '
-            'token storage.'
-        )
-
-
 class TrustFlush(BaseApp):
     """Flush expired and non-expired soft deleted trusts from the backend."""
 
@@ -1185,7 +1168,6 @@ def main(cls):
     MappingPurge,
     MappingEngineTester,
     SamlIdentityProviderMetadata,
-    TokenFlush,
     TokenRotate,
     TokenSetup,
     TrustFlush

diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py
@@ -1631,23 +1631,6 @@ def test_purge_by_group_type(self):
             )
 
 
-class TestTokenFlush(unit.TestCase):
-
-    def test_token_flush_emits_warning(self):
-        expected_msg = (
-            'This command is deprecated and no longer needed with the '
-            'development of non-persistent token formats. It will be removed '
-            'in Stein. It is recommended that you remove usage of this '
-            'command or integrate it\'s functionality into a separate tool if '
-            'you are using an out-of-tree provider that relies on persistent '
-            'token storage.'
-        )
-        logging = self.useFixture(fixtures.FakeLogger())
-        tf = cli.TokenFlush()
-        tf.main()
-        self.assertThat(logging.output, matchers.Contains(expected_msg))
-
-
 class TestTrustFlush(unit.SQLDriverOverrides, unit.BaseTestCase):
 
     class FakeConfCommand(object):

diff --git a/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml b/releasenotes/notes/removed-as-of-stein-5eb23253b72ab54e.yaml
@@ -4,3 +4,6 @@ other:
     [`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
     The options ``member_role_id`` and ``member_role_name`` which were
     deprecated in Queens and only used for V2 are removed now.
+  - >
+    [`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
+    The deprecated token_flush is removed now.