neutron

expensive policy check operation

Bug #1179745 reported by Aaron Rosen
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Salvatore Orlando
neutron 2013.2 "havana"

Bug Description

If one does:

quantum port-list

The plugin will return a list of all ports but then in api/v2/base.py it does a get_network() for each network returned in the port list which is expensive. It would be better to avoid this or do a get_networks() instead.

            obj_list = [obj for obj in obj_list
                        if policy.check(request.context,
                                        self._plugin_handlers[self.SHOW],
                                        obj,
                                        plugin=self._plugin)]
https://github.com/openstack/quantum/blob/master/quantum/api/v2/base.py#L214

Tags: api
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

The get_network is used to return the owner of the parent resource which is used by some checks.
This could be avoided using the attribute map and passing the attribute as a non visible attribute with post and put disabled (this will make it a 'hidden' attribute).

Changed in quantum:
importance: Undecided → Medium
assignee: nobody → Salvatore Orlando (salvatore-orlando)
milestone: none → havana-1
status: New → Confirmed
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

Unfortunately the previous idea was dumb.
Indeed having the API returning the 'parent resource owner' than requesting the policy engine to load it, it's just changing the place where the extra db operation is performed.

In some cases this operation is performed anyway, and so there will be a saving. But in others (and most importantly the index use case) it's not.

Plugins which drive a 3rd party backend might benefit from this, but the extra db checks are stil annoying.

The approach to adopt is therefore to perform the ownership check for the parent resource only when it's needed.
This is determined by the policies configured on the system.

In the default setup, this will mean the extra plugin operation is performed only on create operations and update operations on 'shared' objects.

Also, we might use this bug to get rid of validate_tenant_ownership which does yet another plugin access.

Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

The proposed if fix is now about to be pushed.
A simple test with https://gist.github.com/salv-orlando/5598358 revealed that plugin accesses for policy enforcements over 260 API requests are reduced from 810 to 10. It seems it might be acceptable.

Validate_tenant_ownership has not been removed in this patch.
The reason is that it requires a new check which validates extensively attribute in the parent resource.
The only admin_or_network_owner check is not enough.

We still want to fold it into the policy engine, but that will require changes that are outside of scope for this bug fix.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/29513

Changed in quantum:
status: Confirmed → In Progress
Mark McClain (markmcclain)
tags: added: api
Mark McClain (markmcclain)
Changed in quantum:
milestone: havana-1 → havana-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/29513
Committed: http://github.com/openstack/quantum/commit/27bdfcab29d8e2c28e4aad31df6a56363cf2c6c5
Submitter: Jenkins
Branch: master

commit 27bdfcab29d8e2c28e4aad31df6a56363cf2c6c5
Author: Salvatore Orlando <email address hidden>
Date: Thu May 16 11:01:49 2013 +0200

    Reduce plugin accesses from policy engine

    Bug 1179745

    This patch introduces a new type of check whose aim is to fetch
    the parent resource's owner only when a rule that explicitly needs
    it needs to be checked.

    Change-Id: I1ff429eb3f92b35bcb9b4c4e01b65f8c0a595f48

Changed in quantum:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: havana-2 → 2013.2
Kevin Bringard (kbringard)
tags: added: grizzly-backport-potential
Alan Pevec (apevec)
tags: removed: grizzly-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.