kvs driver for tokens is not a production quality default

Bug #1188370 reported by Clint Byrum on 2013-06-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Wu Wenxiang

Bug Description

The default storage method for tokens is kvs. This has several drawbacks that make it unsuitable for production:

* Requires load balancer to persist connections to a single keystone server by token.
* Memory will grow out of control until token_flush is run.
* At some point kvs lookups get very slow because there are millions of keys in the dict.
* Process restart invalidates all tokens.

A much more production friendly default would be sql. SQL index lookup times will be nearly O(1) for even the largest table, and the flush is only needed to preserve disk space, which is far more abundant and affordable than RAM. Also we already default to SQL for catalog, policy, identity, trust, and credential.

Dolph Mathews (dolph) on 2013-06-06
Changed in keystone:
status: New → Confirmed
importance: Undecided → Low
Changed in keystone:
assignee: nobody → Wu Wenxiang (wu-wenxiang)

Fix proposed to branch: master
Review: https://review.openstack.org/32296

Changed in keystone:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/32296
Committed: http://github.com/openstack/keystone/commit/b2da4ea131da5e801c860194845acecb4ef6d808
Submitter: Jenkins
Branch: master

commit b2da4ea131da5e801c860194845acecb4ef6d808
Author: Wu Wenxiang <wu.wenxiang@99cloud.net>
Date: Sun Jun 9 12:17:34 2013 +0800

    Using sql as default driver for tokens

    kvs driver for tokens is not a production quality storage method.
    The shortcomings of using kvs as storage driver for tokens:
        1. It requires load balancer to persist connections to a single
    keystone server by token.
        2. The memory will grow out of control until token_flush is run.
        3. At some point kvs lookups get very slow because there are millions
    of keys in the dict.
        4. Process restart invalidates all tokens.

    Fixes: bug #1188370
    Change-Id: Ic726e12d798b843412158a7b92f5e3e3a654811f

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-07-17
Changed in keystone:
milestone: none → havana-2
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/34650
Committed: http://github.com/openstack/keystone/commit/3f51d2addd38c418a55c01ca2f37e8bbe94319b5
Submitter: Jenkins
Branch: master

commit 3f51d2addd38c418a55c01ca2f37e8bbe94319b5
Author: Joe Gordon <email address hidden>
Date: Wed Jun 26 18:09:13 2013 -0700

    Deprecate kvs token backend

    This backend is not usable in any production environment. All OpenStack
    environments will already have a SQL DB, and if someone does not want to
    use the DB they can use the memcache backend.

    Fixes bug 1188301 and bug 1188370

    DocImpact This backend should not be mentioned in documentation, as it
    is not production grade and is deprecated.

    Change-Id: I41b147bcc70b79b4fc6df50b242a73cfcad33114

Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers