neutron port-list consumes much longer for normal tenant user than admin role user

Bug #1611626 reported by yong sheng gong
This bug report is a duplicate of:  Bug #1513782: API response time degradation. Edit Remove
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
New
High
Unassigned

Bug Description

I have a neutron deployment where there are just 300 ports.
for admin user to run neutron port-list, it just took 2 secs, but for normal tenant user, it took more than 10+ secs.

I examined the API codes, thought it is the authorisation check that makes the difference.

Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Well, it may be not an issue per se, as long as the list operation scales well (meaning, listing of a single port is not too much lower than for 10000 ports).

Which version is it? Does it include https://review.openstack.org/#/c/269892/ ? Do ports belong to the tenant? Can you also check if https://review.openstack.org/#/c/271830/ helps?

Revision history for this message
yong sheng gong (gongysh) wrote :

https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L275
            obj_list = [obj for obj in obj_list
                        if policy.check(request.context,
                                        self._plugin_handlers[self.SHOW],
                                        obj,
                                        plugin=self._plugin,
                                        pluralized=self._collection)]

this code will go through each object in system no matter what tenant the object belongs to.
the following code can explain why the admin has 'good' performance:

https://github.com/openstack/neutron/blob/master/neutron/policy.py#L356
    if context.is_admin:
        return True
    rule, target, credentials = _prepare_check(context,
                                               action,
                                               target,
                                               pluralized)
    try:
        result = _ENFORCER.enforce(rule, target, credentials, action=action,
                                   do_raise=True)
    except policy.PolicyNotAuthorized:
        with excutils.save_and_reraise_exception():
            log_rule_list(rule)
            LOG.debug("Failed policy check for '%s'", action)
    return result

for each object, neutron will go through the policy check stack, which is heavy.

So, I think it is impacting all versions, and will deteriorate as objects number increases.

Changed in neutron:
importance: Undecided → Medium
tags: added: usability
Assaf Muller (amuller)
Changed in neutron:
importance: Medium → High
milestone: none → newton-3
Changed in neutron:
milestone: newton-3 → newton-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by garyk (<email address hidden>) on branch: master
Review: https://review.openstack.org/302266

Changed in neutron:
milestone: newton-rc1 → ocata-1
Changed in neutron:
assignee: nobody → omkar_telee (omkar-telee)
Revision history for this message
omkar_telee (omkar-telee) wrote :

Started exploring the bug..

Changed in neutron:
assignee: omkar_telee (omkar-telee) → nobody
Changed in neutron:
milestone: ocata-1 → ocata-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/406352

Changed in neutron:
assignee: nobody → Brian Stajkowski (brian-stajkowski)
status: New → In Progress
Changed in neutron:
milestone: ocata-2 → ocata-3
Changed in neutron:
milestone: ocata-3 → ocata-rc1
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Isn't this a duplicate of bug 1513782?

Revision history for this message
Kevin Benton (kevinbenton) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Brian Stajkowski (brian-stajkowski) → nobody
status: In Progress → New
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/406352
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.