Mirantis OpenStack

Keystone reads users from LDAP too slow

Series 10.0.x
Bug #1496840

Bug #1496840 reported by Paul Karikh on 2015-09-17

This bug affects 4 people

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Status tracked in 10.0.x
10.0.x	Confirmed	High	Unassigned	Mirantis OpenStack 10.0
7.0.x	Won't Fix	High	Boris Bobrov	Mirantis OpenStack 7.0-updates
8.0.x	Won't Fix	High	Boris Bobrov	Mirantis OpenStack 8.0
9.x	Won't Fix	High	Boris Bobrov	Mirantis OpenStack 9.x-updates

Bug Description

I've deployed MOS 7.0 with Fuel Keystone LDAP plugin and tried to list users with Horizon. Everything works slow, but fine and there were no errors.
After that I've created 5K users in the LDAP. Somewhere after 1.5K users Horizon requests to Keystone started to failing with timeout error.
When Horizon is waiting for Keystone response, a I see in Keystone logs (/var/log/keystone/main.log) a lot of debug lines like this:
`2015-09-17 11:37:47.990 12575 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: cdb5ef2ad5324ba3b4a56cec6ac33420, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2015-09-17 11:37:47.991 12575 DEBUG keystone.identity.core [-] Local ID: auto_user-1067 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510`

After that I've deleted almost all users from LDAP (there left only auto_user0, auto_user1 and auto_user10 and admin users) and tried to fetch them again with Horizon. And I've got the same lines:

2015-09-17 11:37:47.969 12575 DEBUG keystone.identity.core [-] Local ID: auto_user-1 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2015-09-17 11:37:47.978 12575 DEBUG keystone.identity.core [-] Found existing mapping to public ID: a06df89598f65718695a3c3e138451f351416dfbd3f39fb254462f438de4c274 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2015-09-17 11:37:47.980 12575 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: cdb5ef2ad5324ba3b4a56cec6ac33420, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2015-09-17 11:37:47.982 12575 DEBUG keystone.identity.core [-] Local ID: auto_user-10 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2015-09-17 11:37:47.989 12575 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 44c396a392a341539101a28cdad4312d5113ca88c264fb4135550c0e336ae579 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2015-09-17 11:37:47.990 12575 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: cdb5ef2ad5324ba3b4a56cec6ac33420, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2015-09-17 11:37:47.991 12575 DEBUG keystone.identity.core [-] Local ID: auto_user-1067 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2015-09-17 11:37:47.998 12575 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 85ca3743b8406ffd60505fa16342f66cf3f6b7ed9d8d197e3beab28e2715930c _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2015-09-17 11:37:48.000 12575 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: cdb5ef2ad5324ba3b4a56cec6ac33420, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2015-09-17 11:37:48.001 12575 DEBUG keystone.identity.core [-] Local ID: auto_user-1068 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2015-09-17 11:37:48.009 12575 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 1de806c18b4cca49aefb0820e1097e8df5fd68ea0b1425b74643eacbc2e9d981 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2015-09-17 11:37:48.011 12575 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: cdb5ef2ad5324ba3b4a56cec6ac33420, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2015-09-17 11:37:48.012 12575 DEBUG keystone.identity.core [-] Local ID: auto_user-1069 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2015-09-17 11:37:48.019 12575 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 94f6f8fbac83e4ae87fab63758322dabfaf43b9187a77f3b50d2bb66f26be5e4 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2015-09-17 11:37:48.020 12575 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: cdb5ef2ad5324ba3b4a56cec6ac33420, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2015-09-17 11:37:48.021 12575 DEBUG keystone.identity.core [-] Local ID: auto_user-1070

The problem is users auto_user-1070 , auto_user-1069, auto_user-1067, etc are no more present in LDAP. And even after 24 hours after users has been deleted from LDAP there are a lot of lines where Keystone says that it maps these users. And looks like while Keystone maps users, Horizon is waiting fore response. So, even if LDAP has not so much users, Horizon can't get a response from Keystone for listing users and fails with timeout.

Here is how LDAP is configured with Keystone:
/etc/keystone/domains/keystone.keystone.tld.conf contains the followong lines

[ldap]
user_allow_update=False
user=cn=admin_ad,cn=Users,dc=keystone,dc=tld
user_filter=
user_name_attribute=cn
user_pass_attribute=userPassword
user_enabled_attribute=enabled
suffix=dc=keystone,dc=tld
password=Pass1234
url=ldap://172.16.57.78
user_allow_create=False
user_allow_delete=False
user_objectclass=person
user_tree_dn=dc=keystone,dc=tld
query_scope=sub
user_id_attribute=cn
debug_level=-1
page_size = 50

[identity]
driver=keystone.identity.backends.ldap.Identity

See original description

Tags:

Paul Karikh (pkarikh) on 2015-09-17

description:

updated

Vasyl Saienko (vsaienko) on 2015-09-17

Changed in mos:
status:	New → Confirmed

Paul Karikh (pkarikh) on 2015-09-17

description:

updated

Timur Sufiev (tsufiev-x) on 2015-09-17

summary:

- Keystone loggs that it maps already non-existent users
+ Keystone logs that it maps already non-existent users

Paul Karikh (pkarikh) on 2015-09-25

summary:

- Keystone logs that it maps already non-existent users
+ Keystone reads users from LDAP too slowly

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-10-20: Re: Keystone reads users from LDAP too slowly

We've decided to implement limiting. The implementation is traced in PROD-2000

Alexander Makarov (amakarov) on 2015-11-13

summary:

- Keystone reads users from LDAP too slowly
+ Keystone reads users from LDAP too slow

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-11-13:

We'll lower it's importance to medium as list_limit is implemented

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2015-11-26:

Sasha,

What's the working done for this? Links to reviews please?

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-11-26:

The actual slowness will be worked-around after list_limit for ldap is implemented: https://review.openstack.org/#/c/234849/ .

Michael Kraynov (mkraynov) on 2015-11-26

tags:

added: customer-found

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-11-26: Re: [Bug 1496840] Re: Keystone reads users from LDAP too slow

Dims, I watch the bug status carefully - there are bugs that will not
be fixed directly.
Some of these will even become invalid when other bugs are fixed.

On Thu, Nov 26, 2015 at 12:21 PM, Boris Bobrov <email address hidden> wrote:
> The actual slowness will be worked-around after list_limit for ldap is
> implemented: https://review.openstack.org/#/c/234849/ .
>
> ** Changed in: mos/7.0.x
> Assignee: MOS Keystone (mos-keystone) => Boris Bobrov (bbobrov)
>
> ** Changed in: mos/8.0.x
> Assignee: MOS Keystone (mos-keystone) => Boris Bobrov (bbobrov)
>
> --
> You received this bug notification because you are a member of MOS
> Keystone, which is a bug assignee.
> https://bugs.launchpad.net/bugs/1496840
>
> Title:
> Keystone reads users from LDAP too slow
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mos/+bug/1496840/+subscriptions

--
Kind Regards,
Alexander Makarov,
Senior Software Developer,

Mirantis, Inc.
35b/3, Vorontsovskaya St., 109147, Moscow, Russia

Tel.: +7 (495) 640-49-04
Tel.: +7 (926) 204-50-60

Skype: MAKAPOB.AJIEKCAHDP

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-12-07:

https://review.openstack.org/#/c/234849/ -- the workaround with limiting the number of fetched users is being implemented in this chain of patches.

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-12-07:

The patches might be too complex for backporting them to 7.0. I'm marking it as "won't fix" for 7.0, if you still need it, please reopen the bug.

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-01-05:

Looks like one of the reviews in that series Boris is pointing to is still waiting to be merged in upstream

Revision history for this message

Dmytro Fomenko (daks12) wrote on 2016-01-26:

Download full text (7.1 KiB)

The same issue, customer Teradata. Fuel 7.0 + LDAP plugin. When I'm trying to list user in domain (or create project) I see a huge amount of the following message in log for 6 minutes:

The same issue, customer Teradata. Fuel 7.0 + LDAP plugin. When I'm trying to list user in domain (or create project) I see a huge amount of the following message in log for 6 minutes:

2016-01-26 17:28:20.295 8365 DEBUG keystone.identity.core [-] Local ID: jb1800906 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.298 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: c1273166d7321e614fa7aa5c87c080cb94a9aa6e9a77da891fe4abdc5e0f1a49 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.298 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.298 8365 DEBUG keystone.identity.core [-] Local ID: ef1296204 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.300 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: dba646a4cebf7f4399506fc37b31033e1525aa55b7fd5c7ba0d940b5da590644 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.301 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.301 8365 DEBUG keystone.identity.core [-] Local ID: ia1830000 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.303 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 6352b363edee1a85b5fafbff813070bfac61a6d8f4bbcfe1e0b9501579977f6d _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.304 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.304 8365 DEBUG keystone.identity.core [-] Local ID: js1426454 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.306 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 94b8237ed3559dcd8a8bd5df2a0d6a7e8b98a45216458f0a80d1e66a160c5d17 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.306 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.307 8365 DEBUG keystone.identity.core [-] Local ID: dd1200115 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.310 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 707eace08a83494d305d3be3773c106a5e49100a07e3a0f0b2ec694aaddae349 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.310 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.310 8365 DEBUG keystone.identity.core [-] Local ID: do1203723 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.312 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: eb61598e60b45b8b46f83a3802b154daa6873c367078028e6671c1349a7b22bb _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.313 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.313 8365 DEBUG keystone.identity.core [-] Local ID: jb1322509 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.315 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 893a5ab62c6eb07634eb96508cffa233e359c2261b631fe30e09e065d89bc4a8 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.315 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.315 8365 DEBUG keystone.identity.core [-] Local ID: jb1111011 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.318 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: 287ccae5e63ef69465bdbefa0541d73adba1092802a85b7d2e7797eb0bb2303b _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.318 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.318 8365 DEBUG keystone.identity.core [-] Local ID: dz1291217 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510
2016-01-26 17:28:20.320 8365 DEBUG keystone.identity.core [-] Found existing mapping to public ID: cb8a059f6830bf80e9340d7b606c564bd63c106ccf15b4c431bae1692acfe16c _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:523
2016-01-26 17:28:20.320 8365 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: b0ded156c4e940e5b5dc6649ae248ee4, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
2016-01-26 17:28:20.320 8365 DEBUG keystone.identity.core [-] Local ID: cn1283748 _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/dist-packages/keystone/identity/core.py:510

and get timeout in Horizon after 60 seconds. I've raised timeout in haproxy for keystone 35357 port up to 7minutes and  now I'm able to get a user list. But this is not a solution, just a workaround.  Customer want a permanent fix.

Roman Podoliaka (rpodolyaka) on 2016-02-02

tags:

added: area-keystone move-to-9.0

Roman Podoliaka (rpodolyaka) on 2016-02-02

tags:

added: enhancement

Roman Podoliaka (rpodolyaka) on 2016-02-02

tags:

added: release-notes

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2016-02-02:

#10

I am setting it as "won't fix" for 7.0 and 8.0 because the workaround with limiting turned out to be a whole new feature. The proper fix is very complex too and will require rewriting id_mapping_api.

As a workaround, I suggest you to filter users using filters in keystone.conf. If you want to fix it in code, I suggest you to have a look at function _set_domain_id_and_mapping_for_single_ref and how it's used. The problem is that public id is being queried per user, so for N users there will be N queries.

Roman Podoliaka (rpodolyaka) on 2016-02-03

Changed in mos:
status:	In Progress → Won't Fix

Vitaly Sedelnik (vsedelnik) on 2016-02-12

tags:

added: wontfix-feature

Olga Gusarenko (ogusarenko) on 2016-02-25

tags:

added: 8.0 release-notes-done
removed: release-notes

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2016-05-31:

#11

I am setting this as wont fix for 9.0, because it was not fixed in upstream. This will be worked on in 10.0.

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2016-07-13:

#12

This is being fixed in upstream under bugreport https://bugs.launchpad.net/keystone/+bug/1582585

tags:

added: 10.0-reviewed

Revision history for this message

Maria Zlatkova (mzlatkova) wrote on 2016-12-15:

#13

Adding the release-notes tag back to describe the bug in 9.2 known issues.

tags:

added: release-notes
removed: release-notes-done

Revision history for this message

Maria Zlatkova (mzlatkova) wrote on 2017-01-26:

#14

A release note has been added to 9.2 known issues: https://review.fuel-infra.org/#/c/29742.

tags:

added: release-notes-done
removed: release-notes

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2017-03-02:

#15

Won't fix for 9.x-updates, since it is marked as known issue in 9.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.