OpenStack Identity (keystone)

Validation of tokens degraded after upgrade to Rocky

Bug #1796887 reported by Jose Castro Leon on 2018-10-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Jose Castro Leon	OpenStack Identity (keystone) stein-1

Bug Description

Recently we have upgraded Keystone to the Rocky release and we saw a quite noticiable increase of the response on validation of certain types of tokens. Specifically tokens that are created from trusts.

On the new token model (keystone/models/token_model.py) that's evaluated several times during token validation, the call to retrieve the roles from the trust is retrieving the information directly from the DB with no caching whatsoever. On other operations of the token_model, this information is only requested once, and then cached for following operations.

Since we are using heat and magnum, that are heavily using trusts, we were impacted by this change of validation response.

See original description

Tags:

Jose Castro Leon (jose-castro-leon) on 2018-10-09

description:

updated

Jose Castro Leon (jose-castro-leon) on 2018-10-09

Changed in keystone:
assignee:	nobody → Jose Castro Leon (jose-castro-leon)

OpenStack Infra (hudson-openstack) on 2018-10-12

Changed in keystone:
status:	New → In Progress

wangxiyuan (wangxiyuan) on 2018-10-15

tags:

added: performance

Lance Bragstad (lbragstad) on 2018-10-15

tags:	added: rocky-backport-potential
Changed in keystone:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-23: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/608963
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d465a58f02f134086d6322c5b858c056a3aea025
Submitter: Zuul
Branch: master

commit d465a58f02f134086d6322c5b858c056a3aea025
Author: Jose Castro Leon <email address hidden>
Date: Tue Oct 9 15:11:48 2018 +0200

Add caching on trust role validation to improve performance

    In the token model, the trust roles are not cached. This behavior
    impacts services that are using trusts heavily like heat or magnum.
    It introduces new cache data to improve the performance on token
    validation requests on trusts.

Change-Id: I974907b427c34fd5db3228b6139d93bbcdc38df5
Closes-Bug: #1796887

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-23: Fix proposed to keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/612600

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-24: Fix merged to keystone (stable/rocky)

Reviewed: https://review.openstack.org/612600
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=618e5956da4a0248ccce06da8807c30b1255d073
Submitter: Zuul
Branch: stable/rocky

commit 618e5956da4a0248ccce06da8807c30b1255d073
Author: Jose Castro Leon <email address hidden>
Date: Tue Oct 9 15:11:48 2018 +0200

Add caching on trust role validation to improve performance

    Change-Id: I974907b427c34fd5db3228b6139d93bbcdc38df5
    Closes-Bug: #1796887
    (cherry picked from commit d465a58f02f134086d6322c5b858c056a3aea025)