Reviewed: https://review.opendev.org/665566 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a240c68022d96c8639652cbdf57e707e68fb2a88 Submitter: Zuul Branch: master
commit a240c68022d96c8639652cbdf57e707e68fb2a88 Author: Miguel Lavalle <[email protected]> Date: Sun Jun 16 19:59:03 2019 -0500 Fix list security groups performance with RBAC After change [1], if the system has a high number of security groups with no associated RBAC entries, a non admin user owning only one security group will experience unacceptable response times when listing her security groups. Change [1] added methods get_object and get_objects to class RbacNeutronDbObjectMixin in neutron.objects.rbac_db, which retrieve with and admin context all the objects (networks, subnets or security groups) in the DB and then decide in memory whether the project that made the query has access to them or not, based on their associated RBAC policies. This change proposes to remove those methods and revert to their counterparts in NeutronDbObject (neutron.objects.base), which use a DB query scoped to the project to retrieve the objects based on their associated RBAC policies by calling [2]. In this way, the potential number of objects that are retrieved from the DB and that have to be converted to OVOs is greatly reduced, improving significantly the response time to the user. [1] https://review.opendev.org/#/c/635311 [2] https://github.com/openstack/neutron-lib/blob/7a58374fde64fdc14e327940dde6bea4a8a39345/neutron_lib/db/model_query.py#L100 Change-Id: Idd303778d83089da8fbeff40e3dda2bd19008d8e Closes-Bug: #1830679 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1830679 Title: Security groups RBAC cause a major performance degradation Status in neutron: Fix Released Bug description: On stable/Stein & Train, a setup with about 6000 security groups of different tenants. Using admin user, getting all security groups with GET /v2.0/security-groups HTTP/1.1 takes about 70 seconds. Using the credentials of one of the tenants, who has only 1 security groups takes about 800 seconds. Looking at the mysql DB logs reveals lots of RBAC related queries during thoee 800 seconds. Tried to revert the RBAC PATCH https://review.opendev.org/#/c/635311/ that is a partial fix of https://bugs.launchpad.net/neutron/+bug/1817119 , and it solved the issue completely. Now it takes less than a seconds to get security groups of a tenant. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1830679/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
