<div dir="ltr"><div>I'm able to recreate this locally. I updated the bug, but I didn't triage it.</div><div><br></div><div>I left a comment with some thoughts on where the extra processing is taking place, but I need to parse more of neutron's policy enforcement engine. i don't think nova is doing per-attribute policy enforcement, which is where I think the extra cycles are in neutron.<br></div><div><br></div><div>Thanks for raising the issue, Slawek.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 29, 2021 at 10:14 AM Slawek Kaplonski <<a href="mailto:skaplons@redhat.com">skaplons@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
In Neutron we are merging more and more patches related to the secure rbac<br>
policies [1]. Recently we noticed that our neutron-rally-task job is failing<br>
very often [2].<br>
<br>
I did some tests and here is what were my results:<br>
<br>
* on latest neutron, with about 12 patches related to secure rbac merged - list<br>
of 4k ports took about 1m 40s:<br>
<br>
$ time neutron port-list | wc -l<br>
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.<br>
4044<br>
<br>
real 1m41,644s<br>
user 0m0,926s<br>
sys 0m0,087s<br>
<br>
* same test with all those patches reverted - and it took 8 seconds:<br>
<br>
$ sudo systemctl restart devstack@q-svc; sleep 5; time neutron port-list | wc -l<br>
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.<br>
4044<br>
<br>
real 0m8,131s<br>
user 0m0,907s<br>
sys 0m0,120s<br>
<br>
<br>
After a bit of digging I found out that most of the slowdown came from calls of<br>
the method self._handle_deprecated_rule(default) in [3].<br>
When I commented that one line I had results same like without secure-rbac patches:<br>
<br>
$ sudo systemctl restart devstack@q-svc; sleep 5; time neutron port-list | wc -l<br>
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.<br>
4044<br>
<br>
real 0m7,875s<br>
user 0m0,931s<br>
sys 0m0,087s<br>
<br>
<br>
@Lance, can You maybe take a look at it and help me understand if we are doing<br>
something wrong with those new rules in Neutron? Or maybe there is a bug in<br>
oslo_policy?<br>
<br>
[1] <a href="https://review.opendev.org/q/topic:secure-rbac+project:openstack/neutron" rel="noreferrer" target="_blank">https://review.opendev.org/q/topic:secure-rbac+project:openstack/neutron</a><br>
[2] <a href="https://bugs.launchpad.net/neutron/+bug/1913718" rel="noreferrer" target="_blank">https://bugs.launchpad.net/neutron/+bug/1913718</a><br>
[3] <a href="https://github.com/openstack/oslo.policy/blob/e103baa002e54303b08630c436dfc7b0b8a013de/oslo_policy/policy.py#L641" rel="noreferrer" target="_blank">https://github.com/openstack/oslo.policy/blob/e103baa002e54303b08630c436dfc7b0b8a013de/oslo_policy/policy.py#L641</a><br>
<br>
-- <br>
Slawek Kaplonski<br>
Principal Software Engineer<br>
Red Hat<br>
</blockquote></div>