← Back to team overview

openstack team mailing list archive

Re: Keystone should to Apache HTTPD.


On 03/01/2012 03:52 PM, Kevin L. Mitchell wrote:
On Thu, 2012-03-01 at 14:05 -0500, Adam Young wrote:
The traffic in an Openstack deployment to a Keystone server is going
to be about two orders of magnitude less than any other traffic, and
is highly unlikely to be the bottleneck.
Not quite.  I wrote this up, back in November:


Since then, of course, Keystone has gone through some major cleanups
that have improved its efficiency, but, as Vish pointed out in the other
thread, every service still has to hit Keystone to verify a given token,
which makes Keystone have the highest number of hits for any given
operation…which in turn makes it *the* most likely bottleneck.

Good write up.

My SWAG estimate was based on an efficient protocol. I am still learning Keystone, so I can't say as far as how it is deployed in practice.

HMAC can be supported with a Public/Private key pair fairly easily. If the HMAC is signed with a private key, the other service can confirm them with a public key. It should really not require a round trip to verify a token.