[Openstack-operators] Fwd: Re: Request for Load data for Keystone

Adam Young ayoung at redhat.com
Wed Jan 29 21:08:25 UTC 2014

making this exchange public.

-------- Original Message --------
Subject: 	Re: [Openstack-operators] Request for Load data for Keystone
Date: 	Tue, 28 Jan 2014 23:37:11 +0100
From: 	Joe Topjian <joe at topjian.net>
To: 	Adam Young <ayoung at redhat.com>

Hi Adam,

On Tue, Jan 28, 2014 at 10:33 PM, Adam Young <ayoung at redhat.com 
<mailto:ayoung at redhat.com>> wrote:

    I'm a Keystone core dev.  I often find myself in the position of
    thinking about Keystone Performance  without real numbers to back it up.

    Can people with "real live clouds" provide some insight?  Here's
    what I'd like to know?

    How big is your Keystone data set?  How many

Approximately 150


Approximately 100



    active tokens

memcdump is showing approximately 22,000

    1.  UUID vs PKI tokens?


    2.  Apache HTTPD vs Eventlet:

    Which do you run?  Do you see performance issues with either?

Eventlet. No performance issues. I might move to Apache, but I have no 
real reason.

    How many token revocation events are you seeing?  How long is your
    token revocation list getting?  Which events dominate (change
    password, revoke roles?)

Revocation list is currently 74. I'm not keeping track of event metrics 
such as these.

    Do you run the SQL token backend?  If so, how often do you clean out
    the expired tokens?


    Non performance related questions:

    Are you using the V3 API?  If not, what is keeping you on V2?

Our production clouds are running Grizzly. If v3 is available in 
Grizzly, then we haven't found a need to move to v3. To be honest, 
dealing with OpenStack upgrades takes enough time to plan, unless new 
api versions are automatically enabled during the upgrade, I don't have 
time to bother.

    Do you use trusts?  Do you even understand what they provide?

No and no. Google isn't returning any non-developer docs from 
docs.openstack.org <http://docs.openstack.org> on trusts.

    Do you use SSL or Kerberos?  Do you want to, but find something is
    keeping you from doing so?

I'd love to utilize more features of Keystone, but there's little 
documentation about what is possible:


Your blog posts are great and informative, but I think there needs to be 
more practical official OpenStack Identity documentation.

    If you have answers to these questions, but feel uncomfortable
    posting them publically, please send them to me directly and I will
    anonymize the answers.  Don't feel like you need to answer
    everything if you have something to contribute in just one topic.

    P.S. We know about the shortcomings of the Identity operations (list
    users in particular).  Those will be addressed separately.

    OpenStack-operators mailing list
    OpenStack-operators at lists.openstack.org
    <mailto:OpenStack-operators at lists.openstack.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140129/b8f5a5af/attachment.html>

More information about the OpenStack-operators mailing list