yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1830679] Re: Security groups RBAC cause a major performance degradation

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1830679@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Jul 2019 03:37:31 -0000
Reply-to: Bug 1830679 <1830679@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/665566
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a240c68022d96c8639652cbdf57e707e68fb2a88
Submitter: Zuul
Branch:    master

commit a240c68022d96c8639652cbdf57e707e68fb2a88
Author: Miguel Lavalle <miguel.lavalle@xxxxxxxxxxxxxxxx>
Date:   Sun Jun 16 19:59:03 2019 -0500

    Fix list security groups performance with RBAC
    
    After change [1], if the system has a high number of security groups
    with no associated RBAC entries, a non admin user owning only one
    security group will experience unacceptable response times when
    listing her security groups.
    
    Change [1] added methods get_object and get_objects to class
    RbacNeutronDbObjectMixin in neutron.objects.rbac_db, which retrieve with
    and admin context all the objects (networks, subnets or security groups)
    in the DB and then decide in memory whether the project that made the
    query has access to them or not, based on their associated RBAC
    policies. This change proposes to remove those methods and revert to
    their counterparts in NeutronDbObject (neutron.objects.base), which use
    a DB query scoped to the project to retrieve the objects based on their
    associated RBAC policies by calling [2]. In this way, the potential
    number of objects that are retrieved from the DB and that have to be
    converted to OVOs is greatly reduced, improving significantly the
    response time to the user.
    
    [1] https://review.opendev.org/#/c/635311
    [2] https://github.com/openstack/neutron-lib/blob/7a58374fde64fdc14e327940dde6bea4a8a39345/neutron_lib/db/model_query.py#L100
    
    Change-Id: Idd303778d83089da8fbeff40e3dda2bd19008d8e
    Closes-Bug: #1830679


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1830679

Title:
  Security groups RBAC cause a major performance degradation

Status in neutron:
  Fix Released

Bug description:
  On stable/Stein & Train, a setup with about 6000 security groups of different tenants.
  Using admin user, getting all security groups with GET /v2.0/security-groups HTTP/1.1 takes about 70 seconds.
  Using the credentials of one of the tenants, who has only 1 security groups takes about 800 seconds.

  Looking at the mysql DB logs reveals lots of RBAC related queries during thoee 800 seconds.
  Tried to revert the RBAC PATCH https://review.opendev.org/#/c/635311/ that is a partial fix of https://bugs.launchpad.net/neutron/+bug/1817119 , and it solved the issue completely. 
  Now it takes less than a seconds to get security groups of a tenant.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1830679/+subscriptions

References

[Bug 1830679] [NEW] Security groups RBAC cause a major performance degradation
From: Adit Sarfaty, 2019-05-28