enabled_emulation greatly reduces keystone performance

Bug #1299033 reported by Matt Fischer on 2014-03-28
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Unassigned

Bug Description

When enabled_emulation is enabled, the performance of Keystone suffers greatly. I see a approx 4x slower result when it is enabled. I discussed this some in my blog post (http://www.mattfischer.com/blog/?p=561) and was asked to file a bug by Yuriy. Here are some results. Each query had about 20 results, but I've removed them since it has private emails and what not.

enabled_emulation off:

root@j1:~# time keystone user-list
+--------------+--------------+---------+---------------------------+
| id | name | enabled | email |
+--------------+--------------+---------+---------------------------+
| admin | admin | True | |
...
+--------------+--------------+---------+---------------------------+

real 0m2.767s
user 0m0.380s
sys 0m0.284s

enabled_emulation on:

root@j1:~# time keystone user-list
+--------------+--------------+---------+---------------------------+
| id | name | enabled | email |
+--------------+--------------+---------+---------------------------+
| admin | admin | True | |
...
+--------------+--------------+---------+---------------------------+

real 0m9.099s
user 0m0.508s
sys 0m0.084s

Similar results happen for tenant enabled emulation.

My LDAP box is a Free IPA server running on CentOS if that matters.

I'm running Keystone 2013.2.2-0ubuntu1~cloud0

Dolph Mathews (dolph) on 2014-03-28
tags: added: performance
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
tags: added: ldap
Steve Martinelli (stevemar) wrote :

There hasn't been any analysis of this, I'm wondering how many others are affected by this issue? Maybe we should look at removing the enabled emulation option? Does ldappool make the performance better?

Matt Fischer (mfisch) wrote :

ldappool may help but I'm guessing that absolutely zero people use this. Wasn't there also a change between this version and now that told ldap not to load all the attributes for an object?

Matt Fischer (mfisch) wrote :

In case that was not clear +1 to remove. Should discuss in Austin.

Matt Fischer (mfisch) wrote :

Love that I keep commenting to myself but my blog post has more details and some analysis by nkinder:

http://www.mattfischer.com/blog/?p=561

Morgan Fainberg (mdrnstm) wrote :

This is being de-prioritized and tagged "ldap-legacy". New (py3) compat LDAP code will be based on ldap3 library and will be a new driver. There is not a huge win in fixing this unless that initiative goes south.

Until the new driver exists though, this cannot be closed as "wont fix" since the current code is not "deprecated" yet.

tags: added: ldap-legacy
Changed in keystone:
importance: Medium → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers