commit a240c68022d96c8639652cbdf57e707e68fb2a88
Author: Miguel Lavalle <email address hidden>
Date: Sun Jun 16 19:59:03 2019 -0500
Fix list security groups performance with RBAC
After change [1], if the system has a high number of security groups
with no associated RBAC entries, a non admin user owning only one
security group will experience unacceptable response times when
listing her security groups.
Change [1] added methods get_object and get_objects to class
RbacNeutronDbObjectMixin in neutron.objects.rbac_db, which retrieve with
and admin context all the objects (networks, subnets or security groups)
in the DB and then decide in memory whether the project that made the
query has access to them or not, based on their associated RBAC
policies. This change proposes to remove those methods and revert to
their counterparts in NeutronDbObject (neutron.objects.base), which use
a DB query scoped to the project to retrieve the objects based on their
associated RBAC policies by calling [2]. In this way, the potential
number of objects that are retrieved from the DB and that have to be
converted to OVOs is greatly reduced, improving significantly the
response time to the user.
Reviewed: https:/ /review. opendev. org/665566 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=a240c68022d 96c8639652cbdf5 7e707e68fb2a88
Committed: https:/
Submitter: Zuul
Branch: master
commit a240c68022d96c8 639652cbdf57e70 7e68fb2a88
Author: Miguel Lavalle <email address hidden>
Date: Sun Jun 16 19:59:03 2019 -0500
Fix list security groups performance with RBAC
After change [1], if the system has a high number of security groups
with no associated RBAC entries, a non admin user owning only one
security group will experience unacceptable response times when
listing her security groups.
Change [1] added methods get_object and get_objects to class DbObjectMixin in neutron. objects. rbac_db, which retrieve with objects. base), which use
RbacNeutron
and admin context all the objects (networks, subnets or security groups)
in the DB and then decide in memory whether the project that made the
query has access to them or not, based on their associated RBAC
policies. This change proposes to remove those methods and revert to
their counterparts in NeutronDbObject (neutron.
a DB query scoped to the project to retrieve the objects based on their
associated RBAC policies by calling [2]. In this way, the potential
number of objects that are retrieved from the DB and that have to be
converted to OVOs is greatly reduced, improving significantly the
response time to the user.
[1] https:/ /review. opendev. org/#/c/ 635311 /github. com/openstack/ neutron- lib/blob/ 7a58374fde64fdc 14e327940dde6be a4a8a39345/ neutron_ lib/db/ model_query. py#L100
[2] https:/
Change-Id: Idd303778d83089 da8fbeff40e3dda 2bd19008d8e
Closes-Bug: #1830679