python-keystoneclient

Global Plugins across Threads

Bug #1493835 reported by Jamie Lennox
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Fix Released
Low
Jamie Lennox
keystoneauth 1.1.0 "1.1.0"
python-keystoneclient
Fix Released
Low
Jamie Lennox
python-keystoneclient 1.8.0 "1.8.0"

Bug Description

Nova and other services that have global authentication configured in CONF have a problem that if multiple threads are using a token and it expires then they will all try to reauthenticate at once. This isn't a huge problem because they will just override each other with frest tokens but it's not ideal.

The sessions are thread safe and so can be stored globally on the process and we should make the plugins thread safe as well.

Initially I was thinking of putting a shim in so that requests to the plugin all have to go through a lock. However i think the easiest solution is to make a lock part of the plugin and say that all plugins should be thread safe. In reality the only part that is a problem is when you fetch new auth from the server so if we put a lock around that it will solve the problem for all known plugins (because they are either identity plugins or they are static).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/221738

Changed in python-keystoneclient:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in keystoneauth:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
Revision history for this message
Brant Knudson (blk-u) wrote :

seems like more of a performance issue, so low.

Changed in python-keystoneclient:
importance: Undecided → Low
Changed in keystoneauth:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/221551
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=c8d7506ce6b555e60a94f217a41f8d397dedf651
Submitter: Jenkins
Branch: master

commit c8d7506ce6b555e60a94f217a41f8d397dedf651
Author: Jamie Lennox <email address hidden>
Date: Wed Sep 9 10:03:52 2015 +1000

    Identity plugin thread safety

    A common case is for Nova (or other service) to create an admin
    authentication from a CONF file and then have many greenlet threads that
    want to reuse that authentication. If a token expires then many threads
    all try and fetch a new token to use and can step over each other.

    I was hoping for a way to put a lock in so that all plugins were thread
    safe however fixing it for identity plugins solves almost all real world
    situations and anyone doing non-identity plugins will have to manage
    threads themselves.

    Closes-Bug: #1493835
    Change-Id: Ie478499a086a4b0db4fb9e5b820f6f5cd4074763

Changed in keystoneauth:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/221738
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=556c1a6633931207370106478fa2d155fbffb126
Submitter: Jenkins
Branch: master

commit 556c1a6633931207370106478fa2d155fbffb126
Author: Jamie Lennox <email address hidden>
Date: Wed Sep 9 22:38:04 2015 +1000

    Identity plugin thread safety

    A common case is for Nova (or other service) to create a service
    authentication plugin from a configuration file and then have many
    greenlet threads that want to reuse that authentication. If a token
    expires then many threads all try and fetch a new token to use and can
    step over each other.

    I was hoping for a way to put a lock in so that all plugins were thread
    safe however fixing it for identity plugins solves almost all real world
    situations and anyone doing non-identity plugins will have to manage
    threads themselves.

    Change-Id: Ib6487de7de638abc69660c851bd048a8ec177109
    Closes-Bug: #1493835

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Davanum Srinivas (DIMS) (dims-v)
Changed in keystoneauth:
milestone: none → 1.1.0
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/229361

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-keystoneclient (stable/liberty)

Change abandoned by Davanum Srinivas (dims) (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/229361

Davanum Srinivas (DIMS) (dims-v)
Changed in python-keystoneclient:
milestone: none → 1.8.0
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.