[Openstack-operators] Load on Keystone database

Ramakrishna, Deepti deepti.ramakrishna at intel.com
Mon Jun 29 19:46:11 UTC 2015

Hi Matt,

Thanks for your response.

Ø  I found that this reduced token validation performance by approximately 2x.
Compared to what? Having no revocation events at all?

Ø  I did not go into more detail on where the slowness was coming from.
As you know, when list-revoked-tokens is called, we do a cleanup-expired-revocation-events operation. But, most of the time there is nothing to delete (since list-revoked-tokens is called so frequently). So, a 2x performance degradation is surprising. I would love to see a detailed analysis of where exactly it is happening. This will also be required so that we can come up with a right fix for this problem.


From: tadowguy at gmail.com [mailto:tadowguy at gmail.com] On Behalf Of Matt Fischer
Sent: Tuesday, June 23, 2015 2:58 PM
To: Ramakrishna, Deepti
Cc: openstack-operators at lists.openstack.org; Bhandaru, Malini K
Subject: Re: [Openstack-operators] Load on Keystone database

Deepti, sorry for replying off-list before, that was an accident. I have some new info though:

I ran some numbers on this today just from a general benchmark POV. We had 900 revocation events in our system as the result of some automated testing. I found that this reduced token validation performance by approximately 2x. I did not go into more detail on where the slowness was coming from. This setup is also using fernet tokens, so only revocations are in the db. We are now re-examining some of our test automation to keep the number of revocation events low.  We don't typically have more than a few revocation events at a time unless we're running some tests.

In addition to tests, I believe the revocations are created when you log-out of Horizon. I'm not sure whether that's a change we made or whether it's in the main Horizon.

I think that this area may bear some more investigation by the keystone team.

On Wed, Jun 3, 2015 at 12:07 PM, Ramakrishna, Deepti <deepti.ramakrishna at intel.com<mailto:deepti.ramakrishna at intel.com>> wrote:

I am currently working on fixing bug #1456797<https://bugs.launchpad.net/keystone/+bug/1456797>, which is about building a mechanism to purge expired token revocation events from keystone database. While investigating this bug, I noticed that we actually already purge expired revocation events, but we do it from the list-revocation-events API. Since the list-revocation-events API is so frequently called, this translates to high frequency of delete calls on the keystone database. I was wondering if any of you have noticed issues arising due to this load on keystone db. If so, I would be interested in hearing about your experience. If the current design unduly stresses the db, I can move out the purge feature from the list-revocation-events API.


OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150629/7b3f95db/attachment.html>

More information about the OpenStack-operators mailing list