yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1532164] [NEW] revocation process is done thrice while checking token(V3)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: rohita joshi <rjoshi16@xxxxxxxxx>
Date: Fri, 08 Jan 2016 11:35:44 -0000
Reply-to: Bug 1532164 <1532164@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

While executing 'Check Token' use case for version v3, same SQL queries are executed three times for fetching and deleting invalid revocation events. Out of them one query is executed for Auth-Token validation while other two are executed during Subject-Token validation. 
The queries are,

SELECT revocation_event.id AS revocation_event_id, revocation_event.domain_id AS revocation_event_domain_id, revocation_event.project_id AS revocation_event_project_id, revocation_event.user_id AS revocation_event_user_id, revocation_event.role_id AS revocation_event_role_id, revocation_event.trust_id AS revocation_event_trust_id, revocation_event.consumer_id AS revocation_event_consumer_id, revocation_event.access_token_id AS revocation_event_access_token_id, revocation_event.issued_before AS revocation_event_issued_before, revocation_event.expires_at AS revocation_event_expires_at, revocation_event.revoked_at AS revocation_event_revoked_at, revocation_event.audit_id AS revocation_event_audit_id, revocation_event.audit_chain_id AS revocation_event_audit_chain_id
FROM revocation_event ORDER BY revocation_event.revoked_at

DELETE FROM revocation_event WHERE revocation_event.revoked_at <
'2015-12-11 20:50:20'

In DELETE query, the timestamp will remain same for all DELETE request as the execution time of the use case is approximately 0.160 seconds.
Token can also be validated by executing queries only once(at starting of the process). Multiple request for revocation can be considered as performance overhead as, to execute 3 queries, keystone need to connect with MySQL 3 times.

Execution step:

curl -i -X GET -H "X-Auth-Token:<Auth_Token>" -H "X-Subject-
Token:<Sub_Token>"  http://10.0.32.73:5000/v3/auth/tokens

** Affects: keystone
     Importance: Undecided
     Assignee: rohita joshi (rjoshi16)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => rohita joshi (rjoshi16)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1532164

Title:
  revocation process is done thrice while checking token(V3)

Status in OpenStack Identity (keystone):
  New

Bug description:
  While executing 'Check Token' use case for version v3, same SQL queries are executed three times for fetching and deleting invalid revocation events. Out of them one query is executed for Auth-Token validation while other two are executed during Subject-Token validation. 
  The queries are,

  SELECT revocation_event.id AS revocation_event_id, revocation_event.domain_id AS revocation_event_domain_id, revocation_event.project_id AS revocation_event_project_id, revocation_event.user_id AS revocation_event_user_id, revocation_event.role_id AS revocation_event_role_id, revocation_event.trust_id AS revocation_event_trust_id, revocation_event.consumer_id AS revocation_event_consumer_id, revocation_event.access_token_id AS revocation_event_access_token_id, revocation_event.issued_before AS revocation_event_issued_before, revocation_event.expires_at AS revocation_event_expires_at, revocation_event.revoked_at AS revocation_event_revoked_at, revocation_event.audit_id AS revocation_event_audit_id, revocation_event.audit_chain_id AS revocation_event_audit_chain_id
  FROM revocation_event ORDER BY revocation_event.revoked_at

  DELETE FROM revocation_event WHERE revocation_event.revoked_at <
  '2015-12-11 20:50:20'

  In DELETE query, the timestamp will remain same for all DELETE request as the execution time of the use case is approximately 0.160 seconds.
  Token can also be validated by executing queries only once(at starting of the process). Multiple request for revocation can be considered as performance overhead as, to execute 3 queries, keystone need to connect with MySQL 3 times.

  Execution step:

  curl -i -X GET -H "X-Auth-Token:<Auth_Token>" -H "X-Subject-
  Token:<Sub_Token>"  http://10.0.32.73:5000/v3/auth/tokens

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1532164/+subscriptions

Follow ups

[Bug 1532164] Re: revocation process is done thrice while checking token(V3)
From: Steve Martinelli, 2016-08-03