On 07/18/2016 08:14 AM, Matt Riedemann wrote:
Nova doesn't actually validate the user_id passed into the keypairs API
is valid, does it? Like flavor access and quotas, Nova is given an ID
but doesn't validate it with Keystone. So we don't actually need
Keystone to find these do we?
I'm not saying that's great, we already had a spec approved for Newton
to check the provided user/project ID with keystone for the flavor
access and quotas APIs, we could do the same for keypairs.
You could, however, write a script that deletes keypairs for user_ids
that don't exist in Keystone...
A user can be in more than one project, so delete of users in projects
automatically has some edge conditions, enough so that I'm not sure we'd
ever want that automatically.
My suggestion would be a periodic purge of your local records by looking
up the userids in keystone. The dead keys are doing very little other
than taking up space, so it's mostly just about compaction, which could
be run on a weekly basis.
-Sean
--
Sean Dague
http://dague.net
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
