OpenStack Identity (keystone)

fernet token validation is slow

Bug #1489061 reported by Matt Fischer on 2015-08-26

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Expired	Medium	Unassigned

Bug Description

keystone token validation operations are much slower than uuid operations. The performance is up to 4x slower which makes other openstack API calls slower too.

Numbers from Dolph:

Token validation performance

Response time Requests per second
UUID 18.8 ms (baseline) 256.7 (baseline)
Fernet 93.8 ms (400% slower) 48.3 (81% slower)

My numbers running on a basic setup running keystone in a VM without a load balancer:

Tokens per second (serial):
UUID: 14.97
Fernet: 3.66

Tokens per second (concurrent 20 threads):
UUID: 46.18
Fernet: 12.92

Our numbers are similarly bad in production and its impacting OpenStack performance when we're under load.

Tags:

Lance Bragstad (lbragstad) on 2015-08-26

tags:

added: fernet performance

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-08-26:

related fix - https://review.openstack.org/#/c/215212/

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-08-26:

Lance: if we can benchmark a performance improvement with that patch, it should be a Partial fix, not just Related.

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-08-26:

I'll see if I can find some time to stand up an environment to test against.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-10-16:

More related/partial fixes - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1489061,n,z

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-05: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/215212
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0bbf4c5b73c4a49a9c8d574b3326d0a16cbf6c2c
Submitter: Jenkins
Branch: master

commit 0bbf4c5b73c4a49a9c8d574b3326d0a16cbf6c2c
Author: Lance Bragstad <email address hidden>
Date: Fri Oct 16 16:51:21 2015 +0000

Add caching to get_catalog

    This commit adds caching to the get_catalog call, per user ID and
    project ID. Both the v2 and v3 catalogs are built based on the result of
    this method, so this provides caching for both APIs.

    As a result, this should provide a performance benefit to Fernet-based
    deployments, which must otherwise rebuild the catalog on each token
    validation.

    Tested on top of the current stable/liberty, this patch improves the
    time of cacheable Fernet token creation requests by 16.7% and of
    Fernet token validation requests by 7.5%:

https://gist.github.com/dolph/3bf24039b83a147eeb5c

    Change-Id: I147c5b8e7dcfe1786fe8a534182dbeef33925eac
    Co-Authored-By: Dolph Mathews <email address hidden>
    Related-Bug: 1489061

Grzegorz Grasza (xek) on 2015-11-19

Changed in keystone:
assignee:	nobody → Grzegorz Grasza (xek)

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2016-01-06:

We are also in the process of adding caching to role assignments - https://review.openstack.org/#/c/215715/

Which is related to this review.

OpenStack Infra (hudson-openstack) on 2016-01-06

Changed in keystone:
assignee:	Grzegorz Grasza (xek) → Lance Bragstad (lbragstad)
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2016-01-22

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Morgan Fainberg (mdrnstm)

OpenStack Infra (hudson-openstack) on 2016-01-27

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Dolph Mathews (dolph)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-28: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/215715
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cd906266e67c8a8a8ae9676d2fa6dd1bd2f59bd8
Submitter: Jenkins
Branch: master

commit cd906266e67c8a8a8ae9676d2fa6dd1bd2f59bd8
Author: Morgan Fainberg <email address hidden>
Date: Fri Jan 22 13:13:46 2016 -0800

Add caching to role assignments

    This patch aims to optimize the token creation
    time by caching role assignments used for
    populating user roles in the token data.

Two methods in the assignment manager are cached:

- get_roles_for_user_and_domain
- get_roles_for_user_and_project

This change, in addition to I147c5b8e7dcfe1786fe8a534182dbeef33925eac,
reduces the Fernet token creation time by 28%.

The full performance report can be found here:

https://gist.github.com/dolph/3bf24039b83a147eeb5c

Partial-Bug: 1489061

Co-Authored-By: Samuel de Medeiros Queiroz <email address hidden>
Co-Authored-By: Morgan Fainberg <email address hidden>

Change-Id: Id6ee76f896fe738b4c4de432eb57cc0437ffdb6b

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-21:

Lance, should we close this up?

No other recent fixes and I'm not sure on the numbers, but caching the catalog had to have helped quite a bit,

Revision history for this message

Matt Fischer (mfisch) wrote on 2016-02-21:

Lets close it out. I will generate new numbers are we Dockerize and upgrade keystone hopefully in March.

Revision history for this message

Dolph Mathews (dolph) wrote on 2016-02-23:

#10

This patch should address my last few concerns revealed from profiling a synthetic benchmark run:

https://review.openstack.org/#/c/272007/

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2016-03-02:

#11

Marked incomplete awaiting more data. There has been a lot of varied updates to address token performance.

This change of status is based on convo w/ mfisch in IRC on March 2, 2016

Changed in keystone:
assignee:	Dolph Mathews (dolph) → nobody
status:	In Progress → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-05-02:

#12

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-03: Related fix merged to keystone (master)

#13

Reviewed: https://review.openstack.org/298748
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=54da44bd41f956b43e018b69df2eb65a53e62fc1
Submitter: Jenkins
Branch: master

commit 54da44bd41f956b43e018b69df2eb65a53e62fc1
Author: Lance Bragstad <email address hidden>
Date: Fri Jun 3 04:19:45 2016 +0000

Cache service providers on token validation

    On fernet token validation we rebuild the entire token catalog. This includes
    rebuilding the service providers references in the token if using a federated
    token. In the mitaka release, patches were added to cache user catalogs and
    role assignments. This allows us to do the same thing for service providers,
    which decreases the time spent in get_token_data() by 34%.

Co-Authored-By: Dolph Mathews <email address hidden>

Related-Bug: 1489061
Change-Id: I3dfe66880295ef36a18ca3e384191106b74be795

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.