Open Stack

Re-sending Matt's reply since he is not subscribed to this mailing list and
it bounced back.

---------------------------

Matt Fischer wrote:

Alexandr,

I would not use Fernet without caching, but that said I strongly recommend
against UUID tokens for any reason. Make sure you setup caching on the
swift side & the keystone side. You could consider than an L1 and L2 cache
where from Swift's POV it's authtoken cache is L1 and keystone's cache is
L2. If you do that I believe the performance will be acceptable.

The slowness comes when Keystone has to attempt to decrypt the uncached
tokens.

Also if you're looking to squeeze out the last bit of performance from your
keystone, using the deprecated (and not tested in the gate) Python-MySQL
driver instead of pymsql is about 6% faster. That carries risks as it's
untested and becoming less widely used. We switched to pymysql as has
openstack-ansible and several other deployments.

On Sat, Dec 10, 2016 at 3:23 PM, Steve Martinelli <s.martinelli at gmail.com>
wrote:

> On Sat, Dec 10, 2016 at 10:59 AM, Alexandr Porunov <
> alexandr.porunov at gmail.com> wrote:
>
>> Hello,
>>
>> I read a blog about performance comparison between fernet and uuid
>> tokens. They said that fernet tokens is 30% faster for creation but 400%
>> slower for validation. Is it true?
>>
>>
> I assume you are reading Dolph's blog post [1], that data is based off of
> the kilo branch, we've made some improvements to performance since then, he
> should probably do a follow up post for how the same performance tests run
> on Newton ;)
>
> Token validation can be improved using caching, which we worked on in
> Liberty, Mitaka and Newton (the latest Mitaka release (9.2.0) includes a
> critical performance fix, it was not backported to Liberty). Revocation
> events are still an issue for performance, but we've been addressing that
> in Ocata. I don't think we'll be able to backport the fixes for poor
> revocation performance though, unfortunately it goes against the backport
> policy.
>
>
> FWIW, Matt Fischer has 4 blog posts about using fernet tokens in
> production [2], they are very detailed and performance oriented. I really
> recommend reading them, it's great stuff.
>
>
> [1] http://dolphm.com/benchmarking-openstack-keystone-token-formats/
> [2] https://www.mattfischer.com/blog/?tag=fernet
>
>
> stevemar
>
>
>
>> I want to use Keystone for Swift. I will have many requests with the same
>> tokens so I need faster validation than faster creation. I would use uuid
>> tokens but fernet tokens give us very good pros (we don't need to use a
>> database). So, I decided to cache all fernet tokens on the Swift Proxy side
>> for 30 minutes. Will the performance be the same for checking tokens in a
>> cache or fernet tokens will still be 400% slower?
>>
>> Sincerely,
>> Alexandr
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161210/2d9462c7/attachment.html>