[openstack-dev] [Keystone][Oslo] Caching tokens in auth token middleware
Vishvananda Ishaya
vishvananda at gmail.com
Sat Mar 2 01:15:27 UTC 2013
On Mar 1, 2013, at 4:40 PM, Dolph Mathews <dolph.mathews at gmail.com> wrote:
>
> On Fri, Mar 1, 2013 at 4:59 PM, Jay Pipes <jaypipes at gmail.com> wrote:
> On 03/01/2013 01:18 PM, Vishvananda Ishaya wrote:
> > Hi Everyone,
> >
> > So I've been doing some profiling of api calls against devstack and I've discovered that a significant portion of time spent is in the auth_token middleware validating the PKI token. There is code to turn on caching of the token if memcache is enabled, but this seems like overkill in most cases. We should be caching the token in memory by default. Fortunately, nova has some nifty code that will use an in-memory cache if memcached isn't available.
>
> We gave up on PKI in Folsom after weeks of trouble with it:
>
> * Unstable -- Endpoints would stay up >24 hours but after around 24
> hours (sometimes sooner), the endpoint would stop working properly with
> the server user suddenly returned a 401 when trying to authenticate a
> token. Restarting the endpoint with a service nova-api restart gets rid
> of the 401 Unauthorized for a few hours and then it happens again.
>
> Obviously that's not acceptable behavior; is there a bug tracking this issue? I poked around but didn't see anything related to unexpected 401's.
This bug was fixed quite a while ago:
https://bugs.launchpad.net/keystone/+bug/1074172
https://review.openstack.org/#/c/15242/
But it looks like it was never backported to stable/folsom. I've proposed it here:
https://review.openstack.org/#/c/23334/
If someone can target the bug to folsom that would be awesome.
Vish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130301/ea56463e/attachment.html>
More information about the OpenStack-dev
mailing list