yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1590179] Re: fernet memcache performance regression

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1590179@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Jun 2016 22:01:46 -0000
Reply-to: Bug 1590179 <1590179@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/326234
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9c89e07b11afa2e12c97d0af514ce5fcc04e2ac3
Submitter: Jenkins
Branch:    master

commit 9c89e07b11afa2e12c97d0af514ce5fcc04e2ac3
Author: Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>
Date:   Tue Jun 7 06:34:21 2016 +0100

    Revert to caching fernet tokens the same way we do UUID
    
    In Liberty we used to cache the whole token at the provider manager
    validate token call. However, in Mitaka we changed this, for
    non-persistent tokens (e.g. fernet), to instead attempt to cache
    the individual components that make up the token. This change caused
    validating a fernet token to become 5 times slower than the same
    operation in Liberty (as well as UUID in both releases).
    
    This patches re-instates full-token caching for fernet. This should be
    considered somewhat of a bandaid to redress the performance
    degredation, while we work to restructure our token issuance
    and validation to simplify the multiple code paths.
    
    In terms of invalidation of such a cache, this change effectively
    reverts to the Liberty approach where anything logged to the
    revokation manager will still cause validaiton of the token to fail
    (this is checked for all token types). However, the alternate (and
    confusingly additonal) "direct" invalidation of the cache via
    the pesistance manager will, like in Liberty, not have any
    effect with cached fernet tokens. As far as I can tell, all
    situations where we currently want a token revoked will send
    this information to both the revoke and persistance managers,
    hence this change should not result in any tokens remaining
    valid when they shouldn't.
    
    Closes-Bug: #1590179
    Change-Id: I80371746735edac075eec9986e89b54b66bc47cb


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1590179

Title:
  fernet memcache performance regression

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  
  Fernet token validation performance got worse in mitaka vs in liberty. This is because it's not using memcache to cache the token anymore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1590179/+subscriptions

References

[Bug 1590179] [NEW] fernet memcache performance regression
From: Brant Knudson, 2016-06-07