increase token validation performance relating to revoked tokens
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
High
|
Richard | ||
Bug Description
Currently, there is are two methods called is_revoke and matches that iterate over all revoked events one by one and then further iterate over every field, one by one until it can either short circuit by not matching one value in the event to the passed in token, or until it has matched all fields of non-empty values in the revocation event to the corresponding fields in the given token.
In most cases, the token is not revoked and it will iterate over the entire list of revocations. As the list gets longer, validation becomes slower. You start to see big performance issues around 1500+ revocation entries. It would be nice to directly query the database using sql instead of pulling all the revocation events down, deserializing them, and then iterating over each one in python.
| Changed in keystone: | |
| assignee: | nobody → Richard (csravelar) |
| Changed in keystone: | |
| status: | New → In Progress |
| Steve Martinelli (stevemar) wrote | #1 |
| Changed in keystone: | |
| importance: | Undecided → High |
| milestone: | none → ocata-1 |
| Changed in keystone: | |
| assignee: | Richard (csravelar) → Ron De Rose (ronald-de-rose) |
| Changed in keystone: | |
| assignee: | Ron De Rose (ronald-de-rose) → Richard (csravelar) |
| Changed in keystone: | |
| assignee: | Richard (csravelar) → Ron De Rose (ronald-de-rose) |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #2 |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on keystone (master) | #3 |
| Changed in keystone: | |
| assignee: | Ron De Rose (ronald-de-rose) → nobody |
| tags: | added: performance |
| Richard (csravelar) wrote | #4 |
| Changed in keystone: | |
| assignee: | nobody → Richard (csravelar) |
| status: | In Progress → Fix Released |
Patch: https:/