yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1819036] Re: keystone validates X-Auth-Token twice on every request

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1819036@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Mar 2019 21:39:00 -0000
Reply-to: Bug 1819036 <1819036@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/641499
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=112fa29a7472d8d51f2bc920fc3a13fea8d6e8b8
Submitter: Zuul
Branch:    master

commit 112fa29a7472d8d51f2bc920fc3a13fea8d6e8b8
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Wed Mar 6 22:17:15 2019 +0000

    Only validate tokens once per request
    
    Keystone actually validates each token twice for every API request.
    Regardless of caching being configured, we have an opportunity to try
    and spend less time doing something we've already done.
    
    The first the token is validated is actually done through a
    keystonemiddleware hook. The second time is to populate a context
    object that we can use for things like policy decisions.
    
    Closes-Bug: 1819036
    Change-Id: Ifd7f6f0a1dcd33ad17646cae383132cfc2462f03


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1819036

Title:
  keystone validates X-Auth-Token twice on every request

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  A user came to use in IRC asking about caching feedback [0]. Using the
  performance results they supplied (linked in the IRC conversation), we
  noticed that keystone is actually validating tokens twice on every
  request.

  This is due to the fact keystone overrides the keystonemiddleware
  auth_token implementation's fetch_token() method [1]. We do this
  because fetch_token doesn't need to put a request on the wire to a
  keystone service when middleware is sitting directly in front of the
  token validation API. So, the idea is to just validate the token
  locally instead of building a request to call an identity server.
  Shortly after, we have some request processing code that takes a token
  and uses it to build request context values. The token is validated
  again [2] so that we can use the values from the token response to
  build a context object. The context object is used later in keystone
  to do things like policy enforcement.

  Since both calls to the validate_token() method are within the same
  piece of software, we could attempt to cache the token response to
  save on another token validation trip. Based on the performance
  numbers shared in IRC, a solution to this would cut response times for
  all requests by about 20%.

  
  [0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-03-06.log.html#t2019-03-06T21:33:44
  [1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n241
  [2] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n419

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1819036/+subscriptions

References

[Bug 1819036] [NEW] keystone validates X-Auth-Token twice on every request
From: Lance Bragstad, 2019-03-07