Open Stack

On Fri, Dec 11, 2015 at 12:25 AM, Ajaya Agrawal <ajku.agr at gmail.com> wrote:

> Thanks Matt. That surely is helpful. If you could share some numbers or
> problems you faced when you were storing UUID tokens in database, it would
> be awesome. In my test setup with Keystone Kilo, Fernet token creation and
> validation were way slower than UUID tokens. But UUID tokens come with a
> huge cost to database which is the pain point. I have never run Keystone
> with UUID tokens in Prod setup. So I am looking for perspective on Keystone
> with UUID in prod setup.
>
> Thanks to other people who also chimed in with advice.
>


Fernet token validation is slower than UUID but not worth the pain that
UUIDs in the DB causes. We had several instances where a storm of token
requests would leave the cluster out of sync which caused haproxy to remove
the node from the cluster, which then made the problem worse. We also have
a cross-DC cluster which can exacerbate the issue, even with a fast pipe.
We'll be upgrading Keystone shortly to a newer master (we're on Kilo + a
month right now) and I expect to see some perf improvement there for Fernet
based on talking to the Keystone team.

Fernet is going to become the default, that's the path keystone is headed
so if I were starting a new production cloud, I'd want to chose that route
too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151211/3e4f863d/attachment.html>