keystonemiddleware

Spamming keystone server with 'revocation list'

Bug #1361743 reported by Alexander Chudnovets on 2014-08-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystonemiddleware	Fix Released	Wishlist	Morgan Fainberg

Bug Description

With PKI token user can reduce number of requests to keystone server. But if there are a lot of processes running auth middleware, time to time those processes begin to spam keystone with revocation list request. Can it be avoided? (using lock files for example)

See original description

Tags:

Alexander Chudnovets (achudnovets) on 2014-08-26

description:

updated

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-09-23:

Unfortunately, we need to get the revocation list from Keystone for PKI tokens.

For UUID tokens we shouldn't be requesting the revocation list.

You can also set revocation_cache_time to a higher value to limit the frequency of these requests, however, it will also limit your endpoints ability to identify revoked PKI tokens.

Overall this is a general performance improvement we can work on, but it will never really go away. It might be possible to use some cross-greenthread / cross-worker locking to help limit the number of requests.

Changed in keystonemiddleware:
importance:	Undecided → Wishlist
status:	New → Confirmed

Steve Martinelli (stevemar) on 2015-11-27

tags:

added: pki

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-06-13:

Even though we removed support for PKI tokens, we should limit the requests to fetch revocation lists when we're not using PKI. This would be a pretty easy thing to do if we can determine which token type we're dealing with in keystonemiddleware, which there are utility methods for.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-10-24:

This bug should simply be to remove the bit rotting bits from KSM such as PKI.

OpenStack Infra (hudson-openstack) on 2018-10-30

Changed in keystonemiddleware:
assignee:	nobody → Morgan Fainberg (mdrnstm)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-07: Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/613651
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=7e1b53625990bb08425645cb92f36e16bd67db7f
Submitter: Zuul
Branch: master

commit 7e1b53625990bb08425645cb92f36e16bd67db7f
Author: Morgan Fainberg <email address hidden>
Date: Fri Oct 26 10:32:28 2018 -0700

Stop supporting revocation list

    With keystone's move to eliminating pki, pkiz, and uuid tokens the
    revocation list is no longer generated. Keystonemiddleware no longer
    needs to attempt to retrieve it and reference it.

    Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
    closes-bug: #1361743
    partial-bug: #1649735
    partial-bug: #1736985

Changed in keystonemiddleware:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28: Fix included in openstack/keystonemiddleware 6.0.0

This issue was fixed in the openstack/keystonemiddleware 6.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.