kvs driver for tokens is not a production quality default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Wu Wenxiang |
Bug Description
The default storage method for tokens is kvs. This has several drawbacks that make it unsuitable for production:
* Requires load balancer to persist connections to a single keystone server by token.
* Memory will grow out of control until token_flush is run.
* At some point kvs lookups get very slow because there are millions of keys in the dict.
* Process restart invalidates all tokens.
A much more production friendly default would be sql. SQL index lookup times will be nearly O(1) for even the largest table, and the flush is only needed to preserve disk space, which is far more abundant and affordable than RAM. Also we already default to SQL for catalog, policy, identity, trust, and credential.
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in keystone: | |
assignee: | nobody → Wu Wenxiang (wu-wenxiang) |
Changed in keystone: | |
milestone: | none → havana-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | havana-2 → 2013.2 |
Fix proposed to branch: master /review. openstack. org/32296
Review: https:/