[Openstack-operators] [openstack-dev] Gaining access to consoles.

Matt Fischer matt at mattfischer.com
Wed Aug 12 02:24:10 UTC 2015


It was covered some here:
http://lists.openstack.org/pipermail/openstack-dev/2015-July/069658.html
and some graphs here: http://www.mattfischer.com/blog/?p=672

tl;dr is that having revoked tokens affects keystone token validation and
tokens are validated on almost every API call unless you're using some
caching.

It's not a reason to skip this idea, but its something I'm wary of since I
get the call whenever Keystone gets slow. Depending on how many revocations
it generates, I might turn it off. To be honest I'm not sure how much this
feature is used by our customers.

On Tue, Aug 11, 2015 at 8:16 PM, Tony Breeds <tony at bakeyournoodle.com>
wrote:

> On Mon, Aug 10, 2015 at 07:16:43PM -0600, Matt Fischer wrote:
>
> > I'm not excited about making this the default until token revocations
> don't
> > impact performance the way that they do now. I don't know how often this
> > would get exercised though, but the impact of 100+ token revokes is
> > noticeable on every API call.
>
> I'm not certain what you mean here.  Can you elaborate on where you're
> seeing
> token revocations impacting performance.  The only place I can see we do
> this
> revocation/removal is in mirgrate and delete paths and certainly not on
> every
> API call.
>
> Yours Tony.
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150811/8b55c675/attachment.html>


More information about the OpenStack-operators mailing list