OpenStack Identity (keystone)

Performance issue when deleting trusts

Bug #1935840 reported by Jose Castro Leon on 2021-07-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Undecided	Jose Castro Leon

Bug Description

During a trust deletion, the backend will fetch all trusts belonging to the same trustor and find if there is any delegated trust based on the one we are deleting. So it can delete it as well.

If the backend list_trusts_for_trustor returns a considerable amount of trusts, the whole process will load a huge amount of memory and loop over it. On 380k trusts with no redelegation, the api call takes 35 seconds to process and 2.5 GB of memory while looping.

Just by passing the filter to the backend and filter out the trusts that have delegation, the api call takes around a second with no further increase in memory utilisation.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-07-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/800606

Changed in keystone:
status:	New → In Progress

Jose Castro Leon (jose-castro-leon) on 2021-07-13

Changed in keystone:
assignee:	nobody → Jose Castro Leon (jose-castro-leon)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-08: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/800606
Committed: https://opendev.org/openstack/keystone/commit/23477a13ab29e952a77184c5cf989ecfa175a3ab
Submitter: "Zuul (22348)"
Branch: master

commit 23477a13ab29e952a77184c5cf989ecfa175a3ab
Author: Jose Castro Leon <email address hidden>
Date: Tue Jul 13 11:00:58 2021 +0200

Improve performance on trust deletion

    During a trust deletion, the backend will fetch all trust by the same
    trustor and look for redelegations to be deleted as well. If you have
    a considerable amount of trusts that call becomes expensive. Just by
    pushing this filter into the backend, the response time for the api call
    just depends on the number of redelegations for that trust.

Change-Id: Id3a820fca0bb20561ba031797d2b0fb96ba1f78d
Closes-Bug: #1935840

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-11: Fix included in openstack/keystone 21.0.0.0rc1

This issue was fixed in the openstack/keystone 21.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.