yahoo-eng-team team mailing list archive

[Steve McLellan <1700852@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

With a large number of role assignments (e.g 500) it becomes very slow
to list the projects a user has access to (via /users/<id>/projects).
I'm seeing times of around 4 seconds versus 0.1 for a user with a couple
of assignments.

Instrumenting list_projects_for_user
(https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L268),
where each number is the time elapsed since the start of
list_projects_for_user, I get:

  list_projects_for_user 3.998 role_assignments
  list_projects_for_user 3.999 project_ids
  list_projects_for_user 4.105 list_projects

The time is spent on the call made to list_role_assignments on line 269
which in turns calls  _list_effective_role_assignments at
https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L986.

Listing role assignments for a user directly (with GET
/role_assignments?user.id=<id>) is very fast, which is further
indication that something in the effective role processing is the cause.
I haven't yet timed the internal of  _list_effective_role_assignments.


Running keystone newton (though I believe this would apply to master) with users in LDAP but roles and projects managed by keystone.

** Affects: keystone
     Importance: Medium
         Status: Confirmed

** Affects: keystone/newton
     Importance: Undecided
         Status: Won't Fix

** Affects: keystone/ocata
     Importance: Medium
         Status: Confirmed


** Tags: ocata-backport-potential performance

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1700852

Title:
  Slow listing projects for user with many role assignments

Status in OpenStack Identity (keystone):
  Confirmed
Status in OpenStack Identity (keystone) newton series:
  Won't Fix
Status in OpenStack Identity (keystone) ocata series:
  Confirmed

Bug description:
  With a large number of role assignments (e.g 500) it becomes very slow
  to list the projects a user has access to (via /users/<id>/projects).
  I'm seeing times of around 4 seconds versus 0.1 for a user with a
  couple of assignments.

  Instrumenting list_projects_for_user
  (https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L268),
  where each number is the time elapsed since the start of
  list_projects_for_user, I get:

    list_projects_for_user 3.998 role_assignments
    list_projects_for_user 3.999 project_ids
    list_projects_for_user 4.105 list_projects

  The time is spent on the call made to list_role_assignments on line
  269 which in turns calls  _list_effective_role_assignments at
  https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L986.

  Listing role assignments for a user directly (with GET
  /role_assignments?user.id=<id>) is very fast, which is further
  indication that something in the effective role processing is the
  cause. I haven't yet timed the internal of
  _list_effective_role_assignments.

  
  Running keystone newton (though I believe this would apply to master) with users in LDAP but roles and projects managed by keystone.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1700852/+subscriptions