My biggest concern is that token revocation is a self-service operation, which means *any* user can potentially flood the revocation_event table without any kind rate limiting or SIEM.
We are pruning revocation events on the next revocation call.
https://github.com/openstack/keystone/blob/master/keystone/revoke/backends/sql.py#L103
I am not worry about pruning old events. Rather, any ordinary user can flood the table in a short amount of time, which crippling performance.
My biggest concern is that token revocation is a self-service operation, which means *any* user can potentially flood the revocation_event table without any kind rate limiting or SIEM.
We are pruning revocation events on the next revocation call.
https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ revoke/ backends/ sql.py# L103
I am not worry about pruning old events. Rather, any ordinary user can flood the table in a short amount of time, which crippling performance.