yahoo-eng-team team mailing list archive

[OpenStack Infra <1796887@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/608963
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d465a58f02f134086d6322c5b858c056a3aea025
Submitter: Zuul
Branch:    master

commit d465a58f02f134086d6322c5b858c056a3aea025
Author: Jose Castro Leon <jose.castro.leon@xxxxxxx>
Date:   Tue Oct 9 15:11:48 2018 +0200

    Add caching on trust role validation to improve performance
    
    In the token model, the trust roles are not cached. This behavior
    impacts services that are using trusts heavily like heat or magnum.
    It introduces new cache data to improve the performance on token
    validation requests on trusts.
    
    Change-Id: I974907b427c34fd5db3228b6139d93bbcdc38df5
    Closes-Bug: #1796887


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1796887

Title:
  Validation of tokens degraded after upgrade to Rocky

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Recently we have upgraded Keystone to the Rocky release and we saw a
  quite noticiable increase of the response on validation of certain
  types of tokens. Specifically tokens that are created from trusts.

  On the new token model (keystone/models/token_model.py) that's
  evaluated several times during token validation, the call to retrieve
  the roles from the trust is retrieving the information directly from
  the DB with no caching whatsoever. On other operations of the
  token_model, this information is only requested once, and then cached
  for following operations.

  Since we are using heat and magnum, that are heavily using trusts, we
  were impacted by this change of validation response.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1796887/+subscriptions