[openstack-dev] [Keystone] Memcache user token index and PKI tokens
Kieran Spear
kispear at gmail.com
Mon Jul 15 08:06:10 UTC 2013
Hi all,
I want to backport the fix for the "Token List in Memcache can consume
an entire memcache page" bug[1] to Grizzly, but I had a couple of
questions:
1. Why do we need to store the entire token data in the
usertoken-<userid> key? This data always seems to be hashed before
indexing into the 'token-<tokenid>' keys anyway. The size of the
memcache data for a user's token list currently grows by 4k every time
a new PKI token is created. It doesn't take long to hit 1MB at this
rate even with the above fix.
2. Every time it creates a new token, Keystone loads each token from
the user's token list with a separate memcache call so it can throw it
away if it's expired. This seems excessive. Is it anything to worry
about? If it just checked the first two tokens you'd get the same
effect on a longer time scale.
I guess part of the answer is to decrease our token expiry time, which
should mitigate both issues. Failing that we'd consider moving to the
SQL backend.
Cheers,
Kieran
[1] https://bugs.launchpad.net/keystone/+bug/1171985
More information about the OpenStack-dev
mailing list