yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1626205] [NEW] increase token validation performance relating to revoked tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Richard <csravelar@xxxxxxxxx>
Date: Wed, 21 Sep 2016 17:26:02 -0000
Reply-to: Bug 1626205 <1626205@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently, there is are two methods called is_revoke and matches that
iterate over all revoked events one by one and then further iterate over
every field, one by one until it can either short circuit by not
matching one value in the event to the passed in token, or until it has
matched all fields of non-empty values in the revocation event to the
corresponding fields in the given token.

In most cases, the token is not revoked and it will iterate over the
entire list of revocations. As the list gets longer, validation becomes
slower. You start to see big performance issues around 1500+ revocation
entries. It would be nice to directly query the database using sql
instead of pulling all the revocation events down, deserializing them,
and then iterating over each one in python.

** Affects: keystone
     Importance: Undecided
     Assignee: Richard (csravelar)
         Status: In Progress


** Tags: revoke

** Changed in: keystone
     Assignee: (unassigned) => Richard (csravelar)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1626205

Title:
  increase token validation performance relating to revoked tokens

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Currently, there is are two methods called is_revoke and matches that
  iterate over all revoked events one by one and then further iterate
  over every field, one by one until it can either short circuit by not
  matching one value in the event to the passed in token, or until it
  has matched all fields of non-empty values in the revocation event to
  the corresponding fields in the given token.

  In most cases, the token is not revoked and it will iterate over the
  entire list of revocations. As the list gets longer, validation
  becomes slower. You start to see big performance issues around 1500+
  revocation entries. It would be nice to directly query the database
  using sql instead of pulling all the revocation events down,
  deserializing them, and then iterating over each one in python.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1626205/+subscriptions

Follow ups

[Bug 1626205] Re: increase token validation performance relating to revoked tokens
From: Richard, 2016-11-07