yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1796887] [NEW] Validation of tokens degraded after upgrade to Rocky

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jose Castro Leon <jose.castro.leon@xxxxxxx>
Date: Tue, 09 Oct 2018 13:07:42 -0000
Reply-to: Bug 1796887 <1796887@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Recently we have upgraded Keystone to the Rocky release and we saw a
quite noticiable increase of the response on validation of certain types
of tokens. Specifically tokens that are created from trusts.

On the new token model (keystone/models/token_model.py) that's evaluated
several times during token validation, the call to retrieve the roles
from the trust is retrieving the information directly from the DB with
no caching whatsoever. On other operations of the token_model, this
information is only requested once, and then cached for following
operations.

Since we are using heat and magnum, that are heavily using trusts, we
were impacted by this change of validation response.

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  Recently we have upgraded Keystone to the Rocky release and we saw a
  quite noticiable increase of the response on validation of certain types
  of tokens. Specifically tokens that are created from trusts.
  
- On the new token model (keystone/model/token_model.py) that's evaluated
+ On the new token model (keystone/models/token_model.py) that's evaluated
  several times during token validation, the call to retrieve the roles
  from the trust is retrieving the information directly from the DB with
  no caching whatsoever. On other operations of the token_model, this
  information is only requested once, and then cached for following
  operations.
  
  Since we are using heat and magnum, that are heavily using trusts, we
  were impacted by this change of validation response.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1796887

Title:
  Validation of tokens degraded after upgrade to Rocky

Status in OpenStack Identity (keystone):
  New

Bug description:
  Recently we have upgraded Keystone to the Rocky release and we saw a
  quite noticiable increase of the response on validation of certain
  types of tokens. Specifically tokens that are created from trusts.

  On the new token model (keystone/models/token_model.py) that's
  evaluated several times during token validation, the call to retrieve
  the roles from the trust is retrieving the information directly from
  the DB with no caching whatsoever. On other operations of the
  token_model, this information is only requested once, and then cached
  for following operations.

  Since we are using heat and magnum, that are heavily using trusts, we
  were impacted by this change of validation response.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1796887/+subscriptions

Follow ups

[Bug 1796887] Re: Validation of tokens degraded after upgrade to Rocky
From: OpenStack Infra, 2018-10-23