Validation of tokens degraded after upgrade to Rocky

Bug #1796887 reported by Jose Castro Leon on 2018-10-09
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Jose Castro Leon

Bug Description

Recently we have upgraded Keystone to the Rocky release and we saw a quite noticiable increase of the response on validation of certain types of tokens. Specifically tokens that are created from trusts.

On the new token model (keystone/models/token_model.py) that's evaluated several times during token validation, the call to retrieve the roles from the trust is retrieving the information directly from the DB with no caching whatsoever. On other operations of the token_model, this information is only requested once, and then cached for following operations.

Since we are using heat and magnum, that are heavily using trusts, we were impacted by this change of validation response.

description: updated
Changed in keystone:
assignee: nobody → Jose Castro Leon (jose-castro-leon)
Changed in keystone:
status: New → In Progress
wangxiyuan (wangxiyuan) on 2018-10-15
tags: added: performance
tags: added: rocky-backport-potential
Changed in keystone:
importance: Undecided → High

Reviewed: https://review.openstack.org/608963
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d465a58f02f134086d6322c5b858c056a3aea025
Submitter: Zuul
Branch: master

commit d465a58f02f134086d6322c5b858c056a3aea025
Author: Jose Castro Leon <email address hidden>
Date: Tue Oct 9 15:11:48 2018 +0200

    Add caching on trust role validation to improve performance

    In the token model, the trust roles are not cached. This behavior
    impacts services that are using trusts heavily like heat or magnum.
    It introduces new cache data to improve the performance on token
    validation requests on trusts.

    Change-Id: I974907b427c34fd5db3228b6139d93bbcdc38df5
    Closes-Bug: #1796887

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/612600
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=618e5956da4a0248ccce06da8807c30b1255d073
Submitter: Zuul
Branch: stable/rocky

commit 618e5956da4a0248ccce06da8807c30b1255d073
Author: Jose Castro Leon <email address hidden>
Date: Tue Oct 9 15:11:48 2018 +0200

    Add caching on trust role validation to improve performance

    In the token model, the trust roles are not cached. This behavior
    impacts services that are using trusts heavily like heat or magnum.
    It introduces new cache data to improve the performance on token
    validation requests on trusts.

    Change-Id: I974907b427c34fd5db3228b6139d93bbcdc38df5
    Closes-Bug: #1796887
    (cherry picked from commit d465a58f02f134086d6322c5b858c056a3aea025)

tags: added: in-stable-rocky

This issue was fixed in the openstack/keystone 14.0.1 release.

Changed in keystone:
milestone: none → stein-1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers