Fernet tokens read from disk on every request

Bug #1452418 reported by Dolph Mathews on 2015-05-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Dolph Mathews
Kilo
Low
Dolph Mathews

Bug Description

The fernet keys are stored (by default) in /etc/keystone/fernet-keys/ in individual key files. All keys are read from disk on every request, so you end up with log spam like:

  keystone.token.providers.fernet.utils [-] Loaded 2 encryption keys from: /etc/keystone/fernet-keys/

Keystone really only needs to hit the disk periodically to check for a different set of keys, not on every request.

Dolph Mathews (dolph) on 2015-05-06
tags: added: fernet

Fix proposed to branch: master
Review: https://review.openstack.org/180758

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: Triaged → In Progress
Changed in keystone:
milestone: liberty-1 → liberty-2
Dolph Mathews (dolph) on 2015-07-08
Changed in keystone:
importance: Medium → Low
milestone: liberty-2 → none

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/180758

David Stanek (dstanek) wrote :

The most recent patch was abandoned because there wasn't much of a speed improvement by caching the key files. One possible thing we can do here is address the massive amount of logging that this generates.

Changed in keystone:
importance: Low → Wishlist
tags: added: low-hanging-fruit

Change abandoned by Alan Pevec (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/180759
Reason: master change https://review.openstack.org/180758 was abandoned so backport needs to be abandoned too

Dolph Mathews (dolph) on 2015-07-29
Changed in keystone:
status: In Progress → Triaged

Fix proposed to branch: master
Review: https://review.openstack.org/207190

Changed in keystone:
status: Triaged → In Progress
Dolph Mathews (dolph) wrote :

The number of log messages is addressed by https://review.openstack.org/207190

Dolph Mathews (dolph) wrote :

Setting this back to Low because there's no "featureful" impact of any kind on end users or deployers.

Changed in keystone:
importance: Wishlist → Low

Reviewed: https://review.openstack.org/207190
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=207e9783bdc5ae6200a77f3307197777634da951
Submitter: Jenkins
Branch: master

commit 207e9783bdc5ae6200a77f3307197777634da951
Author: Dolph Mathews <email address hidden>
Date: Wed Jul 29 19:27:50 2015 +0000

    Reduce number of Fernet log messages

    This particular message gets quite repetitive as it's logged per token
    creation & validation request. Once max_active_keys is reached, it has
    little utility beyond letting you know that the number of active Fernet
    keys is (still) correct.

    Change-Id: I6f497a5defa3c1da5bda54aa5f9e7303a0352d83
    Closes-Bug: 1452418

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/212948
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2f580e4adbafbe6530bd8ab9eff4c085bbb53909
Submitter: Jenkins
Branch: stable/kilo

commit 2f580e4adbafbe6530bd8ab9eff4c085bbb53909
Author: Dolph Mathews <email address hidden>
Date: Wed Jul 29 19:27:50 2015 +0000

    Reduce number of Fernet log messages

    This particular message gets quite repetitive as it's logged per token
    creation & validation request. Once max_active_keys is reached, it has
    little utility beyond letting you know that the number of active Fernet
    keys is (still) correct.

    NOTE: Unlike the patch to master, this backport does not change the log
    message itself, only whether or not it is logged.

    Change-Id: I6f497a5defa3c1da5bda54aa5f9e7303a0352d83
    Closes-Bug: 1452418
    (cherry picked from commit 207e9783bdc5ae6200a77f3307197777634da951)

Changed in keystone:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in keystone:
milestone: liberty-3 → 8.0.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers