OpenStack Identity (keystone)

Performance of authentication decresead in 5 times

Bug #1697263 reported by Andriy Kurilin on 2017-06-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Undecided	Unassigned

Bug Description

While playing with rally-gates results, I discovered that performance of authentication method worsened.

Trends report: http://andreykurilin.me/trends/trends_gate-rally-dsvm-rally-ubuntu-xenial.html#/Authenticate.keystone

As for that scenario, it tries to authenticate 40 times in 20 threads. Min time of authentication doesn't change a lot, but average and maximum taken time increased in ~5 times.

NOTE: results are taken from merged patches for rally project

See original description

Tags:

Andriy Kurilin (andreykurilin) on 2017-06-11

description:	updated
tags:	added: performance rally

Andriy Kurilin (andreykurilin) on 2017-06-11

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-11: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/473104

Revision history for this message

Andriy Kurilin (andreykurilin) wrote on 2017-06-11:

Proposed fix helped.
Proofs:

* results of depends on change(https://review.openstack.org/#/c/473105/)
http://logs.openstack.org/05/473105/2/check/gate-rally-dsvm-rally-ubuntu-xenial/f336d5b/rally-plot/results.html.gz#/Authenticate.keystone

* regular results (from patch posted today)
http://logs.openstack.org/42/460242/2/check/gate-rally-dsvm-rally- ubuntu-xenial/e9c664d/rally-plot/results.html.gz#/Authenticate.keystone

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-06-11:

Password auth is meant to be slow-ish. This is expected, part of the move to bcrypt and scrypt is a higher time-complexity requirement. This is not really a bug. The options are tunable and rally can tune the time-complexity. The defaults are considered (widely) secure.

This is how we ensure the password hashes are hard(er) to brute force if they are leaked.

For now -2 on the proposed revert.

You can look at other things we can improve, but expect passwords to be a fixed-ish time to auth. For non-performance testing (aka devstack) we can floor the values to be the lowest time-complexity.

Anyway, in short, this fix is expected to make things slower for password auth in the grand scheme of things. This is how password hashing works.

Changed in keystone:
status:	New → Incomplete

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-06-11:

Moved to incomplete, unless there is a clear real-world impact that is unforseen in the code that is more than the added time-complexity of the better hashing algos.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-16: Change abandoned on keystone (master)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: master
Review: https://review.openstack.org/473104
Reason: Administratively abandoning the CR, the issue has been fixed in devstack.

Revision history for this message

Andriy Kurilin (andreykurilin) wrote on 2017-06-24:

https://review.openstack.org/#/c/473571/1 fix

Changed in keystone:
status:	Incomplete → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.