OpenStack Identity (keystone)

keystone.token.backends.sql list_revoked_tokens performs very poorly

Bug #1253755 reported by Clint Byrum
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Clint Byrum
OpenStack Identity (keystone) 2014.1 "icehouse"
Havana
Fix Released
Medium
Dirk Mueller
OpenStack Identity (keystone) 2013.2.2

Bug Description

The query that it makes use of is extremely inefficient, as it must retrieve the massive 'extra' field when it does not need it. Also there is no index that covers both expires and valid, so we can only do a range query on expires and then filter for valid.

Test situation is a poorly tuned mysql that has a token table with 865000 rows, 35000 of which are revoked (2000 of which are unexpired).

Adding an index on token+valid did speed the query up some, but it still took on average 2 seconds to return all ~2000 revoked token rows. Also changing the query to only query the id and expires columns resulted in the query taking 0.02 seconds to run, leading to a much more responsive experience throughout the cloud.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/57975

Changed in keystone:
assignee: nobody → Clint Byrum (clint-fewbar)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/57976

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Dolph Mathews (dolph) wrote :

This has potential to land as the first migration since stable/havana was cut, so this could be backported.

tags: added: havana-backport-potential
Revision history for this message
Dolph Mathews (dolph) wrote :

This will also be solved by https://blueprints.launchpad.net/keystone/+spec/revocation-events in icehouse, as we can optionally disable the API and it's backend.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/57975
Committed: http://github.com/openstack/keystone/commit/dd2c80c566f20a97a22e0d7d5a514be84772a955
Submitter: Jenkins
Branch: master

commit dd2c80c566f20a97a22e0d7d5a514be84772a955
Author: Clint Byrum <email address hidden>
Date: Thu Nov 21 11:12:17 2013 -0800

    Add index to cover revoked token list

    The individual expires and valid indexes do not fully cover the most
    common query, which is the one that lists revoked tokens.

    Change-Id: I112332b49dac148e5231b76f3399fe60174a702d
    Partial-Bug: #1253755

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/57976
Committed: http://github.com/openstack/keystone/commit/ab7221246af394f24e47484e822b8dcda37411aa
Submitter: Jenkins
Branch: master

commit ab7221246af394f24e47484e822b8dcda37411aa
Author: Clint Byrum <email address hidden>
Date: Fri Nov 22 08:50:39 2013 -0800

    Narrow columns used in list_revoked_tokens sql

    Currently the SQL backend lists revoked tokens by selecting all of the
    columns, including the massive "extra" column. This places a significant
    burden on the client library and wastes resources. We only need the
    id/expired columns to satisfy the API call.

    In tests this query was several orders of magnitude faster with just two
    thousand un-expired revoked tokens.

    Change-Id: I04d62b98d5d760a3fbc3c8db61530f7ebccb0a48
    Closes-Bug: #1253755

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → icehouse-2
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/69884

Alan Pevec (apevec)
tags: removed: havana-backport-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.