Reviewed: https://review.openstack.org/641499 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=112fa29a7472d8d51f2bc920fc3a13fea8d6e8b8 Submitter: Zuul Branch: master
commit 112fa29a7472d8d51f2bc920fc3a13fea8d6e8b8 Author: Lance Bragstad <[email protected]> Date: Wed Mar 6 22:17:15 2019 +0000 Only validate tokens once per request Keystone actually validates each token twice for every API request. Regardless of caching being configured, we have an opportunity to try and spend less time doing something we've already done. The first the token is validated is actually done through a keystonemiddleware hook. The second time is to populate a context object that we can use for things like policy decisions. Closes-Bug: 1819036 Change-Id: Ifd7f6f0a1dcd33ad17646cae383132cfc2462f03 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1819036 Title: keystone validates X-Auth-Token twice on every request Status in OpenStack Identity (keystone): Fix Released Bug description: A user came to use in IRC asking about caching feedback [0]. Using the performance results they supplied (linked in the IRC conversation), we noticed that keystone is actually validating tokens twice on every request. This is due to the fact keystone overrides the keystonemiddleware auth_token implementation's fetch_token() method [1]. We do this because fetch_token doesn't need to put a request on the wire to a keystone service when middleware is sitting directly in front of the token validation API. So, the idea is to just validate the token locally instead of building a request to call an identity server. Shortly after, we have some request processing code that takes a token and uses it to build request context values. The token is validated again [2] so that we can use the values from the token response to build a context object. The context object is used later in keystone to do things like policy enforcement. Since both calls to the validate_token() method are within the same piece of software, we could attempt to cache the token response to save on another token validation trip. Based on the performance numbers shared in IRC, a solution to this would cut response times for all requests by about 20%. [0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-03-06.log.html#t2019-03-06T21:33:44 [1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n241 [2] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n419 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1819036/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
