commit 73e3f7d281ce606f25d4668b98a7002de34bf3c9
Author: Miguel Lavalle <email address hidden>
Date: Sun Jun 16 19:59:03 2019 -0500
Fix list security groups performance with RBAC
After change [1], if the system has a high number of security groups
with no associated RBAC entries, a non admin user owning only one
security group will experience unacceptable response times when
listing her security groups.
Change [1] added methods get_object and get_objects to class
RbacNeutronDbObjectMixin in neutron.objects.rbac_db, which retrieve with
and admin context all the objects (networks, subnets or security groups)
in the DB and then decide in memory whether the project that made the
query has access to them or not, based on their associated RBAC
policies. This change proposes to remove those methods and revert to
their counterparts in NeutronDbObject (neutron.objects.base), which use
a DB query scoped to the project to retrieve the objects based on their
associated RBAC policies by calling [2]. In this way, the potential
number of objects that are retrieved from the DB and that have to be
converted to OVOs is greatly reduced, improving significantly the
response time to the user.
Reviewed: https:/ /review. opendev. org/670075 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=73e3f7d281c e606f25d4668b98 a7002de34bf3c9
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 73e3f7d281ce606 f25d4668b98a700 2de34bf3c9
Author: Miguel Lavalle <email address hidden>
Date: Sun Jun 16 19:59:03 2019 -0500
Fix list security groups performance with RBAC
After change [1], if the system has a high number of security groups
with no associated RBAC entries, a non admin user owning only one
security group will experience unacceptable response times when
listing her security groups.
Change [1] added methods get_object and get_objects to class DbObjectMixin in neutron. objects. rbac_db, which retrieve with objects. base), which use
RbacNeutron
and admin context all the objects (networks, subnets or security groups)
in the DB and then decide in memory whether the project that made the
query has access to them or not, based on their associated RBAC
policies. This change proposes to remove those methods and revert to
their counterparts in NeutronDbObject (neutron.
a DB query scoped to the project to retrieve the objects based on their
associated RBAC policies by calling [2]. In this way, the potential
number of objects that are retrieved from the DB and that have to be
converted to OVOs is greatly reduced, improving significantly the
response time to the user.
[1] https:/ /review. opendev. org/#/c/ 635311 /github. com/openstack/ neutron- lib/blob/ 7a58374fde64fdc 14e327940dde6be a4a8a39345/ neutron_ lib/db/ model_query. py#L100
[2] https:/
Change-Id: Idd303778d83089 da8fbeff40e3dda 2bd19008d8e 639652cbdf57e70 7e68fb2a88)
Closes-Bug: #1830679
(cherry picked from commit a240c68022d96c8