[Openstack-operators] Load on Keystone database

Matt Fischer matt at mattfischer.com
Tue Jun 23 21:58:25 UTC 2015


Deepti, sorry for replying off-list before, that was an accident. I have
some new info though:

I ran some numbers on this today just from a general benchmark POV. We had
900 revocation events in our system as the result of some automated
testing. I found that this reduced token validation performance by
approximately 2x. I did not go into more detail on where the slowness was
coming from. This setup is also using fernet tokens, so only revocations
are in the db. We are now re-examining some of our test automation to keep
the number of revocation events low.  We don't typically have more than a
few revocation events at a time unless we're running some tests.

In addition to tests, I believe the revocations are created when you
log-out of Horizon. I'm not sure whether that's a change we made or whether
it's in the main Horizon.

I think that this area may bear some more investigation by the keystone
team.

On Wed, Jun 3, 2015 at 12:07 PM, Ramakrishna, Deepti <
deepti.ramakrishna at intel.com> wrote:

>  Hi,
>
>
>
> I am currently working on fixing bug #1456797
> <https://bugs.launchpad.net/keystone/+bug/1456797>, which is about
> building a mechanism to purge expired token revocation events from keystone
> database. While investigating this bug, I noticed that we actually already
> purge expired revocation events, but we do it from the
> list-revocation-events API. Since the list-revocation-events API is so
> frequently called, this translates to high frequency of delete calls on the
> keystone database. I was wondering if any of you have noticed issues
> arising due to this load on keystone db. If so, I would be interested in
> hearing about your experience. If the current design unduly stresses the
> db, I can move out the purge feature from the list-revocation-events API.
>
>
>
> Thanks,
>
> Deepti
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150623/70fc9e70/attachment.html>


More information about the OpenStack-operators mailing list