neutron

neutron port-list consumes much longer for normal tenant user than admin role user

Bug #1611626 reported by yong sheng gong on 2016-08-10

This bug report is a duplicate of: Bug #1513782: API response time degradation. Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	High	Unassigned	neutron ocata-rc1 "rc1"

Bug Description

I have a neutron deployment where there are just 300 ports.
for admin user to run neutron port-list, it just took 2 secs, but for normal tenant user, it took more than 10+ secs.

I examined the API codes, thought it is the authorisation check that makes the difference.

Tags:

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2016-08-10:

Well, it may be not an issue per se, as long as the list operation scales well (meaning, listing of a single port is not too much lower than for 10000 ports).

Which version is it? Does it include https://review.openstack.org/#/c/269892/ ? Do ports belong to the tenant? Can you also check if https://review.openstack.org/#/c/271830/ helps?

Revision history for this message

yong sheng gong (gongysh) wrote on 2016-08-10:

https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L275
            obj_list = [obj for obj in obj_list
                        if policy.check(request.context,
                                        self._plugin_handlers[self.SHOW],
                                        obj,
                                        plugin=self._plugin,
                                        pluralized=self._collection)]

this code will go through each object in system no matter what tenant the object belongs to.
the following code can explain why the admin has 'good' performance:

https://github.com/openstack/neutron/blob/master/neutron/policy.py#L356
    if context.is_admin:
        return True
    rule, target, credentials = _prepare_check(context,
                                               action,
                                               target,
                                               pluralized)
    try:
        result = _ENFORCER.enforce(rule, target, credentials, action=action,
                                   do_raise=True)
    except policy.PolicyNotAuthorized:
        with excutils.save_and_reraise_exception():
            log_rule_list(rule)
            LOG.debug("Failed policy check for '%s'", action)
    return result

for each object, neutron will go through the policy check stack, which is heavy.

So, I think it is impacting all versions, and will deteriorate as objects number increases.

Nate Johnston (nate-johnston) on 2016-08-10

Changed in neutron:
importance:	Undecided → Medium
tags:	added: usability

Assaf Muller (amuller) on 2016-08-24

Changed in neutron:
importance:	Medium → High
milestone:	none → newton-3

Armando Migliaccio (armando-migliaccio) on 2016-09-01

Changed in neutron:
milestone:	newton-3 → newton-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-07: Change abandoned on neutron (master)

Change abandoned by garyk (<email address hidden>) on branch: master
Review: https://review.openstack.org/302266

Armando Migliaccio (armando-migliaccio) on 2016-09-09

Changed in neutron:
milestone:	newton-rc1 → ocata-1

omkar_telee (omkar-telee) on 2016-09-25

Changed in neutron:
assignee:	nobody → omkar_telee (omkar-telee)

Revision history for this message

omkar_telee (omkar-telee) wrote on 2016-09-26:

Started exploring the bug..

omkar_telee (omkar-telee) on 2016-09-26

Changed in neutron:
assignee:	omkar_telee (omkar-telee) → nobody

Armando Migliaccio (armando-migliaccio) on 2016-11-16

Changed in neutron:
milestone:	ocata-1 → ocata-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-02: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/406352

Changed in neutron:
assignee:	nobody → Brian Stajkowski (brian-stajkowski)
status:	New → In Progress

Armando Migliaccio (armando-migliaccio) on 2017-01-06

Changed in neutron:
milestone:	ocata-2 → ocata-3

Armando Migliaccio (armando-migliaccio) on 2017-01-26

Changed in neutron:
milestone:	ocata-3 → ocata-rc1

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2017-02-06:

Isn't this a duplicate of bug 1513782?

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2017-03-21: auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee:	Brian Stajkowski (brian-stajkowski) → nobody
status:	In Progress → New
tags:	added: timeout-abandon

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-21: Change abandoned on neutron (master)

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/406352
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1513782 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.