openstack team mailing list archive
Mailing list archive
Re: Keystone should to Apache HTTPD.
Adam Young <ayoung@xxxxxxxxxx>
Thu, 01 Mar 2012 17:18:01 -0500
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120216 Thunderbird/10.0.1
On 03/01/2012 03:52 PM, Kevin L. Mitchell wrote:
On Thu, 2012-03-01 at 14:05 -0500, Adam Young wrote:
The traffic in an Openstack deployment to a Keystone server is going
to be about two orders of magnitude less than any other traffic, and
is highly unlikely to be the bottleneck.
Not quite. I wrote this up, back in November:
Since then, of course, Keystone has gone through some major cleanups
that have improved its efficiency, but, as Vish pointed out in the other
thread, every service still has to hit Keystone to verify a given token,
which makes Keystone have the highest number of hits for any given
operation…which in turn makes it *the* most likely bottleneck.
Good write up.
My SWAG estimate was based on an efficient protocol. I am still
learning Keystone, so I can't say as far as how it is deployed in practice.
HMAC can be supported with a Public/Private key pair fairly easily. If
the HMAC is signed with a private key, the other service can confirm
them with a public key. It should really not require a round trip to
verify a token.