OpenStack Identity (keystone)

kvs driver for tokens is not a production quality default

Bug #1188370 reported by Clint Byrum
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Wu Wenxiang
OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

The default storage method for tokens is kvs. This has several drawbacks that make it unsuitable for production:

* Requires load balancer to persist connections to a single keystone server by token.
* Memory will grow out of control until token_flush is run.
* At some point kvs lookups get very slow because there are millions of keys in the dict.
* Process restart invalidates all tokens.

A much more production friendly default would be sql. SQL index lookup times will be nearly O(1) for even the largest table, and the flush is only needed to preserve disk space, which is far more abundant and affordable than RAM. Also we already default to SQL for catalog, policy, identity, trust, and credential.

Dolph Mathews (dolph)
Changed in keystone:
status: New → Confirmed
importance: Undecided → Low
Wu Wenxiang (wu-wenxiang)
Changed in keystone:
assignee: nobody → Wu Wenxiang (wu-wenxiang)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/32296

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/32296
Committed: http://github.com/openstack/keystone/commit/b2da4ea131da5e801c860194845acecb4ef6d808
Submitter: Jenkins
Branch: master

commit b2da4ea131da5e801c860194845acecb4ef6d808
Author: Wu Wenxiang <wu.wenxiang@99cloud.net>
Date: Sun Jun 9 12:17:34 2013 +0800

    Using sql as default driver for tokens

    kvs driver for tokens is not a production quality storage method.
    The shortcomings of using kvs as storage driver for tokens:
        1. It requires load balancer to persist connections to a single
    keystone server by token.
        2. The memory will grow out of control until token_flush is run.
        3. At some point kvs lookups get very slow because there are millions
    of keys in the dict.
        4. Process restart invalidates all tokens.

    Fixes: bug #1188370
    Change-Id: Ic726e12d798b843412158a7b92f5e3e3a654811f

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/34650

Thierry Carrez (ttx)
Changed in keystone:
milestone: none → havana-2
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/34650
Committed: http://github.com/openstack/keystone/commit/3f51d2addd38c418a55c01ca2f37e8bbe94319b5
Submitter: Jenkins
Branch: master

commit 3f51d2addd38c418a55c01ca2f37e8bbe94319b5
Author: Joe Gordon <email address hidden>
Date: Wed Jun 26 18:09:13 2013 -0700

    Deprecate kvs token backend

    This backend is not usable in any production environment. All OpenStack
    environments will already have a SQL DB, and if someone does not want to
    use the DB they can use the memcache backend.

    Fixes bug 1188301 and bug 1188370

    DocImpact This backend should not be mentioned in documentation, as it
    is not production grade and is deprecated.

    Change-Id: I41b147bcc70b79b4fc6df50b242a73cfcad33114

Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.