[openstack-dev] [keystone]PKI token VS Fernet token

王玺源 wangxiyuan1007 at gmail.com
Wed Feb 15 10:16:47 UTC 2017


Hello everyone,
  PKI/PKIZ token has been removed from keystone in Ocata. But recently our
production team did some test about PKI and Fernet token (With Keystone
Mitaka). They found that in large-scale production environment, Fernet
token's performance is not as good as PKI. Here is the test data:

https://docs.google.com/document/d/12cL9bq9EARjZw9IS3YxVmYsGfdauM25NzZcdzPE0fvY/edit?usp=sharing

>From the data, we can see that:
1. In large-scale concurrency test, PKI is much faster than Fernet.
2. PKI token revoke can't immediately make the token invalid. So it has the
revoke issue.  https://wiki.openstack.org/wiki/OSSN/OSSN-0062

But in our production team's opinion, the revoke issue is a small problem,
and can be avoided by some periphery ways. (More detail solution could be
explained by them in the follow email).
They think that the performance issue is the most important thing. Maybe
you can see that in some production environment, performance is the first
thing to be considered.

So here I'd like to ask you, especially the keystone experts:
1. Is there any chance to bring PKI/PKIZ back to Keystone?
2. Has Fernet token improved the performance during these releases? Or any
road map so that we can make sure Fernet is better than PKI in all side.
Otherwise, I don't think that remove PKI in Ocata is the right way. Or
even, we can keep the PKI token in Keystone for more one or two cycles,
then remove it once Fernet is stable enough.
3. Since I'll be in Atalanta next week, if it is possible, I'd like to
bring this topic to Keystone PTG. can I?

It is a real production problem and I really need your feedback.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170215/c8fbe127/attachment.html>


More information about the OpenStack-dev mailing list