Spamming keystone server with 'revocation list'
Bug #1361743 reported by
Alexander Chudnovets
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystonemiddleware |
Fix Released
|
Wishlist
|
Morgan Fainberg |
Bug Description
With PKI token user can reduce number of requests to keystone server. But if there are a lot of processes running auth middleware, time to time those processes begin to spam keystone with revocation list request. Can it be avoided? (using lock files for example)
description: | updated |
tags: | added: pki |
Changed in keystonemiddleware: | |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
status: | Confirmed → In Progress |
To post a comment you must log in.
Unfortunately, we need to get the revocation list from Keystone for PKI tokens.
For UUID tokens we shouldn't be requesting the revocation list.
You can also set revocation_ cache_time to a higher value to limit the frequency of these requests, however, it will also limit your endpoints ability to identify revoked PKI tokens.
Overall this is a general performance improvement we can work on, but it will never really go away. It might be possible to use some cross-greenthread / cross-worker locking to help limit the number of requests.