<div dir="ltr">It was covered some here: <a href="http://lists.openstack.org/pipermail/openstack-dev/2015-July/069658.html">http://lists.openstack.org/pipermail/openstack-dev/2015-July/069658.html</a><div>and some graphs here: <a href="http://www.mattfischer.com/blog/?p=672">http://www.mattfischer.com/blog/?p=672</a><br></div><div><br></div><div>tl;dr is that having revoked tokens affects keystone token validation and tokens are validated on almost every API call unless you're using some caching.</div><div><br></div><div>It's not a reason to skip this idea, but its something I'm wary of since I get the call whenever Keystone gets slow. Depending on how many revocations it generates, I might turn it off. To be honest I'm not sure how much this feature is used by our customers.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 8:16 PM, Tony Breeds <span dir="ltr"><<a href="mailto:tony@bakeyournoodle.com" target="_blank">tony@bakeyournoodle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, Aug 10, 2015 at 07:16:43PM -0600, Matt Fischer wrote:<br>
<br>
> I'm not excited about making this the default until token revocations don't<br>
> impact performance the way that they do now. I don't know how often this<br>
> would get exercised though, but the impact of 100+ token revokes is<br>
> noticeable on every API call.<br>
<br>
</span>I'm not certain what you mean here. Can you elaborate on where you're seeing<br>
token revocations impacting performance. The only place I can see we do this<br>
revocation/removal is in mirgrate and delete paths and certainly not on every<br>
API call.<br>
<br>
Yours Tony.<br>
<br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div><br></div>