yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1819036] [NEW] keystone validates X-Auth-Token twice on every request

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Thu, 07 Mar 2019 17:11:32 -0000
Reply-to: Bug 1819036 <1819036@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

A user came to use in IRC asking about caching feedback [0]. Using the
performance results they supplied (linked in the IRC conversation), we
noticed that keystone is actually validating tokens twice on every
request.

This is due to the fact keystone overrides the keystonemiddleware
auth_token implementation's fetch_token() method [1]. We do this because
fetch_token doesn't need to put a request on the wire to a keystone
service when middleware is sitting directly in front of the token
validation API. So, the idea is to just validate the token locally
instead of building a request to call an identity server. Shortly after,
we have some request processing code that takes a token and uses it to
build request context values. The token is validated again [2] so that
we can use the values from the token response to build a context object.
The context object is used later in keystone to do things like policy
enforcement.

Since both calls to the validate_token() method are within the same
piece of software, we could attempt to cache the token response to save
on another token validation trip. Based on the performance numbers
shared in IRC, a solution to this would cut response times for all
requests by about 20%.

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-03-06.log.html#t2019-03-06T21:33:44
[1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n241
[2] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n419

** Affects: keystone
Importance: High
Status: Triaged

** Tags: performance

** Changed in: keystone
Status: New => Confirmed

** Changed in: keystone
Status: Confirmed => Triaged

** Changed in: keystone
Importance: Undecided => High

** Tags added: performance

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1819036

Title:
keystone validates X-Auth-Token twice on every request

Status in OpenStack Identity (keystone):
Triaged

Bug description:
A user came to use in IRC asking about caching feedback [0]. Using the
performance results they supplied (linked in the IRC conversation), we
noticed that keystone is actually validating tokens twice on every
request.

This is due to the fact keystone overrides the keystonemiddleware
auth_token implementation's fetch_token() method [1]. We do this
because fetch_token doesn't need to put a request on the wire to a
keystone service when middleware is sitting directly in front of the
token validation API. So, the idea is to just validate the token
locally instead of building a request to call an identity server.
Shortly after, we have some request processing code that takes a token
and uses it to build request context values. The token is validated
again [2] so that we can use the values from the token response to
build a context object. The context object is used later in keystone
to do things like policy enforcement.

Since both calls to the validate_token() method are within the same
piece of software, we could attempt to cache the token response to
save on another token validation trip. Based on the performance
numbers shared in IRC, a solution to this would cut response times for
all requests by about 20%.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1819036/+subscriptions

Follow ups

[Bug 1819036] Re: keystone validates X-Auth-Token twice on every request
From: OpenStack Infra, 2019-03-21