Open Stack

On 03/01/2012 03:52 PM, Kevin L. Mitchell wrote:
> On Thu, 2012-03-01 at 14:05 -0500, Adam Young wrote:
>> The traffic in an Openstack deployment to a Keystone server is going
>> to be about two orders of magnitude less than any other traffic, and
>> is highly unlikely to be the bottleneck.
> Not quite.  I wrote this up, back in November:
>
>    http://etherpad.openstack.org/keystone-scalability
>
> Since then, of course, Keystone has gone through some major cleanups
> that have improved its efficiency, but, as Vish pointed out in the other
> thread, every service still has to hit Keystone to verify a given token,
> which makes Keystone have the highest number of hits for any given
> operation…which in turn makes it *the* most likely bottleneck.


Good write up.

My SWAG estimate was based on an efficient protocol.  I am still 
learning Keystone,  so I can't say as far as how it is deployed in practice.

HMAC can be supported with a Public/Private key pair fairly easily.  If 
the HMAC is signed with a private key,  the other service can confirm 
them with a public key.  It should really not require a round trip to 
verify a token.