On 07/18/2016 08:14 AM, Matt Riedemann wrote:
Nova doesn't actually validate the user_id passed into the keypairs API is valid, does it? Like flavor access and quotas, Nova is given an ID but doesn't validate it with Keystone. So we don't actually need Keystone to find these do we? I'm not saying that's great, we already had a spec approved for Newton to check the provided user/project ID with keystone for the flavor access and quotas APIs, we could do the same for keypairs. You could, however, write a script that deletes keypairs for user_ids that don't exist in Keystone...
A user can be in more than one project, so delete of users in projects automatically has some edge conditions, enough so that I'm not sure we'd ever want that automatically.
My suggestion would be a periodic purge of your local records by looking up the userids in keystone. The dead keys are doing very little other than taking up space, so it's mostly just about compaction, which could be run on a weekly basis.
-Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev