Externalize Keystone secret key cache TTL

rafaelweingartner · rafaelweingartner · commit 51d447b77485 · 2025-05-13T19:18:20.000-03:00
The Keystone secret key TTL is hardcoded to 300 seconds (5 minutes).
For some use cases, the TTL could be increased, and as a consequence, the number of requests to Keystone is reduced.

Therefore, we propose to externalize the configuration as an option that provides this flexibility to operators. The default is maintained as 300 seconds (5 minutes).

Signed-off-by: Rafael Weingärtner &lt;rafael@apache.org&gt;
diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
@@ -844,6 +844,16 @@ options:
   services:
   - rgw
   with_legacy: true
+- name: rgw_keystone_token_cache_ttl
+  type: int
+  level: advanced
+  desc: Keystone token secret key cache TTL
+  long_desc: The TTL for secret keys that are loaded from Keystone and stored in the cache system.
+  fmt_desc: The maximum TTL that a secret loaded from Keystone is maintained in the token cache system.
+  default: 300
+  services:
+  - rgw
+  with_legacy: true
 - name: rgw_keystone_verify_ssl
   type: bool
   level: advanced
diff --git a/src/rgw/rgw_auth_keystone.h b/src/rgw/rgw_auth_keystone.h
@@ -102,7 +102,7 @@ class SecretCache {
     : cct(g_ceph_context),
       lock(),
       max(cct->_conf->rgw_keystone_token_cache_size),
-      s3_token_expiry_length(300, 0) {
+      s3_token_expiry_length(cct->_conf->rgw_keystone_token_cache_ttl, 0) {
   }
 
   ~SecretCache() {}

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ class SecretCache {`
`102`	`102`	`: cct(g_ceph_context),`
`103`	`103`	`lock(),`
`104`	`104`	`max(cct->_conf->rgw_keystone_token_cache_size),`
`105`		`- s3_token_expiry_length(300, 0) {`
	`105`	`+ s3_token_expiry_length(cct->_conf->rgw_keystone_token_cache_ttl, 0) {`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`~SecretCache() {}`