I happened to run across an unrelated github issue: https://github.com/terraform-providers/terraform-provider-openstack/issu es/271
which gave me a clue to what I was missing. I needed to include some additional variables (see steps 7 through 9 below).
Revised steps - which works fine with the OpenStack Client: 0) set appropriate OS_* variables for password authentication 1) create a token using "openstack token issue" 2) unset all OS_* environment variables 3) set OS_TOKEN to the token's value provided in #1 4) set OS_AUTH_TYPE to "v3token" 5) set OS_AUTH_URL to the respective KeyStone endpoint 6) set OS_IDENTITY_API_VERSION to "3" 7) set OS_PROJECT_DOMAIN_ID as appropriate 8) set OS_PROJECT_NAME as appropriate 9) set OS_REGION_NAME as appropriate 10) use the CLI as normal
This shaves anywhere from 0.2 to 0.6 seconds off of a test command I'm running when compared to password authentication (which normally takes about 2.5 seconds to run), where a new token is issued each time.
openstack token revoke works as expected too.
Eric
hah, that's my issue.
The problem though is that keystoneauth actually does fetch a new token every time even when you supply it with one, but that new token is based on the one you supply, and is a scoped token. It's likely the api for getting a token from an existing one is faster than password auth. I wish there was a way to have the tools actually reuse a given scoped token rather than fetch a new one every time...
OS_TOKEN is also useful/important because of MFA, which otherwise wouldn't work unless you reuse a token. And I'm hoping that when someone has time to work MFA support properly into the cli tool they can hopefully also think about how to make the token reuse better.
On 21/08/20 8:29 pm, Eric K. Miller wrote:
I happened to run across an unrelated github issue: https://github.com/terraform-providers/terraform-provider-openstack/issu es/271
which gave me a clue to what I was missing. I needed to include some additional variables (see steps 7 through 9 below).
Revised steps - which works fine with the OpenStack Client: 0) set appropriate OS_* variables for password authentication
- create a token using "openstack token issue"
- unset all OS_* environment variables
- set OS_TOKEN to the token's value provided in #1
- set OS_AUTH_TYPE to "v3token"
- set OS_AUTH_URL to the respective KeyStone endpoint
- set OS_IDENTITY_API_VERSION to "3"
- set OS_PROJECT_DOMAIN_ID as appropriate
- set OS_PROJECT_NAME as appropriate
- set OS_REGION_NAME as appropriate
- use the CLI as normal
This shaves anywhere from 0.2 to 0.6 seconds off of a test command I'm running when compared to password authentication (which normally takes about 2.5 seconds to run), where a new token is issued each time.
openstack token revoke works as expected too.
Eric
The problem though is that keystoneauth actually does fetch a new token every time even when you supply it with one, but that new token is based on the one you supply, and is a scoped token. It's likely the api for getting a token from an existing one is faster than password auth. I wish there was a way to have the tools actually reuse a given scoped token rather than fetch a new one every time...
Interesting! I was kinda wondering if that was actually what was happening. It still seems like quite a bit of a delay compared to running the OpenStack Client and running commands on its command line repeatedly (as opposed to loading the OpenStack Client each time). I assumed that there was still some work to load Python, etc., but using --debug does show a pull of the service catalog, which is slow. It definitely would be nice to have a way to save/load the "session" that is created by the OpenStack Client to avoid all of the overhead, or, as you said, provide a scoped token.
I tested the performance again to be sure I wasn't going crazy, and with OS_TOKEN, it is definitely between 0.2 and 0.6 (most of the time at the higher end of this) seconds faster. Any improvement is good.
OS_TOKEN is also useful/important because of MFA, which otherwise wouldn't work unless you reuse a token. And I'm hoping that when someone has time to work MFA support properly into the cli tool they can hopefully also think about how to make the token reuse better.
You mentioned "MFA support properly". What issue exists? I'm interested since I was about to look into this next.
Thanks!
Eric
participants (2)
-
Adrian Turjak
-
Eric K. Miller