Comment 3 for bug 1842930

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Horizon (openstack_auth module) stores a token in Django session store.
That's the reason that a user can access services even after the user id deleted.
The token stored in Django session store is used to access back-end services.

A user can be deleted via both CLI and Horizon.
(a) If a user is deleted via horizon, horizon can clear a session and the deleted user cannot access back-end services immediately after deleting the user.
(b) If a user is deleted via CLI (or other ways that horizon is not involved), there is no way that horizon can know it, so the deleted user can continue to access services.

Horizon has a setting SESSION_TIMEOUT (which defaults to 3600) [1]. If the mininum time of the keystonemiddleware cache time and the horizon session timeout passes, the deleted user no longer can access services. As of now, keystonemiddleware cache time is 300 sec and horizon's SESSION_TIMEOUT is 3600 sec by default, so the situation reported here continues for 300 sec after the user is deleted.

I think it is reasonable to keep the current behavior from the performance perspective.
As Morgan commented, we can improve our documentation to highlight this behavior clearly.

[1] https://docs.openstack.org/horizon/latest/configuration/settings.html#session-timeout