openstack team mailing list archive

Thread
Date

Re: Keystone should to Apache HTTPD.

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Adam Young <ayoung@xxxxxxxxxx>
Date: Thu, 01 Mar 2012 17:18:01 -0500
In-reply-to: <1330635150.2551.30.camel@einstein>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120216 Thunderbird/10.0.1

On 03/01/2012 03:52 PM, Kevin L. Mitchell wrote:

On Thu, 2012-03-01 at 14:05 -0500, Adam Young wrote:

The traffic in an Openstack deployment to a Keystone server is going
to be about two orders of magnitude less than any other traffic, and
is highly unlikely to be the bottleneck.

Not quite.  I wrote this up, back in November:

   http://etherpad.openstack.org/keystone-scalability

Since then, of course, Keystone has gone through some major cleanups
that have improved its efficiency, but, as Vish pointed out in the other
thread, every service still has to hit Keystone to verify a given token,
which makes Keystone have the highest number of hits for any given
operation…which in turn makes it *the* most likely bottleneck.



Good write up.

My SWAG estimate was based on an efficient protocol. I am stilllearning Keystone, so I can't say as far as how it is deployed in practice.

HMAC can be supported with a Public/Private key pair fairly easily. Ifthe HMAC is signed with a private key, the other service can confirmthem with a public key. It should really not require a round trip toverify a token.

References

Keystone should to Apache HTTPD.
From: Adam Young, 2012-03-01
Re: Keystone should to Apache HTTPD.
From: Kevin L. Mitchell, 2012-03-01