OpenStack Identity (keystone)

  1. Bug #1524030
  2. Comment #16

Comment 16 for bug 1524030

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/253273
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8eb29c37d1a5163d4f485c559399a4b82969e21e
Submitter: Zuul
Branch: master

commit 8eb29c37d1a5163d4f485c559399a4b82969e21e
Author: Jorge Munoz <email address hidden>
Date: Fri Nov 24 22:59:32 2017 +0000

    Validate disabled domains and projects online

    Keystone's performance degrades as the `revocation_event` table grows
    in size. This patch reduces the total number of events written to the
    table by not persisting events when a domain or project is disabled.

    The main reason for persisting a revocation event when a project or
    domain is disabled is to make sure tokens associated to those targets
    are considered invalid. Instead of relying on revocation events, we
    can check if the project or domain is enabled when we validate the
    token. We take the same approach when we validate a user's role
    assignments instead of relying on an ever-growing database table.

    Co-Authored-By: Lance Bragstad <email address hidden>

    Closes-Bug: 1524030
    Change-Id: I76330567e0df2d9f2af88ef9b6b98b8c379e7406