<div dir="ltr">Deepti, sorry for replying off-list before, that was an accident. I have some new info though:<div><br></div><div>I ran some numbers on this today just from a general benchmark POV. We had 900 revocation events in our system as the result of some automated testing. I found that this reduced token validation performance by approximately 2x. I did not go into more detail on where the slowness was coming from. This setup is also using fernet tokens, so only revocations are in the db. We are now re-examining some of our test automation to keep the number of revocation events low. We don't typically have more than a few revocation events at a time unless we're running some tests.</div><div><br></div><div>In addition to tests, I believe the revocations are created when you log-out of Horizon. I'm not sure whether that's a change we made or whether it's in the main Horizon.<br><div><br></div><div>I think that this area may bear some more investigation by the keystone team.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 3, 2015 at 12:07 PM, Ramakrishna, Deepti <span dir="ltr"><<a href="mailto:deepti.ramakrishna@intel.com" target="_blank">deepti.ramakrishna@intel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am currently working on fixing bug #<a href="https://bugs.launchpad.net/keystone/+bug/1456797" target="_blank">1456797</a>, which is about building a mechanism to purge expired token revocation events from keystone database. While investigating this
bug, I noticed that we actually already purge expired revocation events, but we do it from the list-revocation-events API. Since the list-revocation-events API is so frequently called, this translates to high frequency of delete calls on the keystone database.
I was wondering if any of you have noticed issues arising due to this load on keystone db. If so, I would be interested in hearing about your experience. If the current design unduly stresses the db, I can move out the purge feature from the list-revocation-events
API.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Deepti<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div><br></div>