OpenStack Identity (keystone)

Fernet tokens read from disk on every request

Bug #1452418 reported by Dolph Mathews on 2015-05-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Dolph Mathews	OpenStack Identity (keystone) 8.0.0 "liberty"
	Kilo	Fix Released	Low	Dolph Mathews	OpenStack Identity (keystone) 2015.1.3

Bug Description

The fernet keys are stored (by default) in /etc/keystone/fernet-keys/ in individual key files. All keys are read from disk on every request, so you end up with log spam like:

keystone.token.providers.fernet.utils [-] Loaded 2 encryption keys from: /etc/keystone/fernet-keys/

Keystone really only needs to hit the disk periodically to check for a different set of keys, not on every request.

Tags:

Dolph Mathews (dolph) on 2015-05-06

tags:

added: fernet

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-05-06:

Relates to this code:

https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L58

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-06: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/180758

Changed in keystone:
assignee:	nobody → Dolph Mathews (dolph)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-06: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/180759

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	liberty-1 → liberty-2

Dolph Mathews (dolph) on 2015-07-08

Changed in keystone:
importance:	Medium → Low
milestone:	liberty-2 → none

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-16: Change abandoned on keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/180758

Revision history for this message

David Stanek (dstanek) wrote on 2015-07-27:

The most recent patch was abandoned because there wasn't much of a speed improvement by caching the key files. One possible thing we can do here is address the massive amount of logging that this generates.

Changed in keystone:
importance:	Low → Wishlist
tags:	added: low-hanging-fruit

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-29: Change abandoned on keystone (stable/kilo)

Change abandoned by Alan Pevec (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/180759
Reason: master change https://review.openstack.org/180758 was abandoned so backport needs to be abandoned too

Dolph Mathews (dolph) on 2015-07-29

Changed in keystone:
status:	In Progress → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-29: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207190

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-07-29:

The number of log messages is addressed by https://review.openstack.org/207190

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-07-29:

Setting this back to Low because there's no "featureful" impact of any kind on end users or deployers.

Changed in keystone:
importance:	Wishlist → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-01: Fix merged to keystone (master)

#10

Reviewed: https://review.openstack.org/207190
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=207e9783bdc5ae6200a77f3307197777634da951
Submitter: Jenkins
Branch: master

commit 207e9783bdc5ae6200a77f3307197777634da951
Author: Dolph Mathews <email address hidden>
Date: Wed Jul 29 19:27:50 2015 +0000

Reduce number of Fernet log messages

    This particular message gets quite repetitive as it's logged per token
    creation & validation request. Once max_active_keys is reached, it has
    little utility beyond letting you know that the number of active Fernet
    keys is (still) correct.

Change-Id: I6f497a5defa3c1da5bda54aa5f9e7303a0352d83
Closes-Bug: 1452418

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-14: Fix proposed to keystone (stable/kilo)

#11

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/212948

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-20: Fix merged to keystone (stable/kilo)

#12

Reviewed: https://review.openstack.org/212948
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2f580e4adbafbe6530bd8ab9eff4c085bbb53909
Submitter: Jenkins
Branch: stable/kilo

commit 2f580e4adbafbe6530bd8ab9eff4c085bbb53909
Author: Dolph Mathews <email address hidden>
Date: Wed Jul 29 19:27:50 2015 +0000

Reduce number of Fernet log messages

NOTE: Unlike the patch to master, this backport does not change the log
message itself, only whether or not it is logged.

    Change-Id: I6f497a5defa3c1da5bda54aa5f9e7303a0352d83
    Closes-Bug: 1452418
    (cherry picked from commit 207e9783bdc5ae6200a77f3307197777634da951)

Doug Hellmann (doug-hellmann) on 2015-09-03

Changed in keystone:
milestone:	none → liberty-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-3 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.