keystone never delete expires token in database

keystone never delete expires token in database. And I noticed the token table has no index on “expired” and “valid”.
Is this a bug, Or it is designed to work in this way? Why?

Thanks.
-chen

I have a few fixes. Now that the tokens are encrypted in the database it is taking much longer to do the queries. Here is the bug report I filed after not getting any response here: https://bugs.launchpad.net/keystone/+bug/1182481

I have tuned my /etc/mysql/my.cnf with the following:

key_buffer = 2048M
max_allowed_packet = 2048M
thread_stack = 512M
thread_cache_size = 1024
query_cache_limit = 2048M
query_cache_size = 128M
innodb_buffer_pool_size = 2048M

restart mysql after making the changes

Also it was suggest to modify the date

/etc/init.d/ntp stop
 date -s "`date`"
/etc/init.d/ntp start

This has helped greatly.

I also found that flushing the keystone tokens and only keeping ones that are less than a day old helped out.

Here is the mysql command:
USE keystone ; DELETE FROM token WHERE NOT DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= expires;'

I had a cron doing this but I have stopped the cron and it is looking like it is running better now.

Currently they do not remove expired tokens for security auditing. There should be a new tool that will be out soon called keystone-manage token-flush. I believe this has been released to trunk.

Hope this helps.
Adam