← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #69479

[Bug 1524030] Re: Reduce revocation events for performance improvement

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/253273
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8eb29c37d1a5163d4f485c559399a4b82969e21e
Submitter: Zuul
Branch:    master

commit 8eb29c37d1a5163d4f485c559399a4b82969e21e
Author: Jorge Munoz <elkidster@xxxxxxxxx>
Date:   Fri Nov 24 22:59:32 2017 +0000

    Validate disabled domains and projects online
    
    Keystone's performance degrades as the `revocation_event` table grows
    in size. This patch reduces the total number of events written to the
    table by not persisting events when a domain or project is disabled.
    
    The main reason for persisting a revocation event when a project or
    domain is disabled is to make sure tokens associated to those targets
    are considered invalid. Instead of relying on revocation events, we
    can check if the project or domain is enabled when we validate the
    token. We take the same approach when we validate a user's role
    assignments instead of relying on an ever-growing database table.
    
    Co-Authored-By: Lance Bragstad <lbragstad@xxxxxxxxx>
    
    Closes-Bug: 1524030
    Change-Id: I76330567e0df2d9f2af88ef9b6b98b8c379e7406


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1524030

Title:
  Reduce revocation events for performance improvement

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone performance reduces as revocation events are written to the
  backend. In an effort to reduce the number of revocation events
  written to the revocation_event table, keystone has to explicitly
  check if a domain or project associated to the token are enabled.

  Patch: https://review.openstack.org/#/c/253273/

  Follow up patches:
  1. Remove revocation events for deleted domains or projects
  2. Remove revocation events for deleted grants
  3. Bug 1511775
  4. Delete unused columns (revocation_table - project and domains)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1524030/+subscriptions

References

  Thread PreviousDate PreviousThread Next