Deepti, sorry for replying off-list before, that was an accident. I have some new info though:
I ran some numbers on this today just from a general benchmark POV. We had 900 revocation events in our system as the result of some automated testing. I found that this reduced token validation performance by approximately 2x. I did not go into more detail on where the slowness was coming from. This setup is also using fernet tokens, so only revocations are in the db. We are now re-examining some of our test automation to keep the number of revocation events low. We don't typically have more than a few revocation events at a time unless we're running some tests. In addition to tests, I believe the revocations are created when you log-out of Horizon. I'm not sure whether that's a change we made or whether it's in the main Horizon. I think that this area may bear some more investigation by the keystone team. On Wed, Jun 3, 2015 at 12:07 PM, Ramakrishna, Deepti < [email protected]> wrote: > Hi, > > > > I am currently working on fixing bug #1456797 > <https://bugs.launchpad.net/keystone/+bug/1456797>, which is about > building a mechanism to purge expired token revocation events from keystone > database. While investigating this bug, I noticed that we actually already > purge expired revocation events, but we do it from the > list-revocation-events API. Since the list-revocation-events API is so > frequently called, this translates to high frequency of delete calls on the > keystone database. I was wondering if any of you have noticed issues > arising due to this load on keystone db. If so, I would be interested in > hearing about your experience. If the current design unduly stresses the > db, I can move out the purge feature from the list-revocation-events API. > > > > Thanks, > > Deepti > > > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
