OK. I tried a test and I think this is legitimate and that tokens aren't getting expired.
To test this I modified the existing tempest test[1], to add a self.client.delete_token(token_id) right after the scoped token is revoked. This should revoke the unscoped token.
Then I changed the Keystone configuration so that it uses revocation events only, by setting revoke_by_id=false in keystone.conf
When running the test, the unscoped token IS NOT revoked. Looking at the debugger, after the revocations, the revocation event's self.revoke_map has ...'expires_at=2014-07-31 20:13:06'...
And the token data has 'expires_at': datetime.datetime(2014, 7, 31, 20, 13, 6, 126800). So is_revoked tries to match 'expires_at=2014-07-31 20:13:06.126800' against the revoke_map and it doesn't match because it's an exact match.
OK. I tried a test and I think this is legitimate and that tokens aren't getting expired.
To test this I modified the existing tempest test[1], to add a self.client. delete_ token(token_ id) right after the scoped token is revoked. This should revoke the unscoped token.
Then I changed the Keystone configuration so that it uses revocation events only, by setting revoke_by_id=false in keystone.conf
When running the test, the unscoped token IS NOT revoked. Looking at the debugger, after the revocations, the revocation event's self.revoke_map has ...'expires_ at=2014- 07-31 20:13:06'...
And the token data has 'expires_at': datetime. datetime( 2014, 7, 31, 20, 13, 6, 126800). So is_revoked tries to match 'expires_ at=2014- 07-31 20:13:06.126800' against the revoke_map and it doesn't match because it's an exact match.
[1] http:// git.openstack. org/cgit/ openstack/ tempest/ tree/tempest/ api/identity/ admin/v3/ test_tokens. py?id=973c6cd98 e4b226bec2f1b40 943afaa910e1804 7#n140
Essentially, revoking tokens individually doesn't work with mysql and revocation events.