| 2017-06-28 15:16:53 |
Steve McLellan |
description |
With a large number of role assignments (e.g 500) it becomes very slow to list the projects a user has access to (via /users/<id>/projects). I'm seeing times of around 4 seconds versus 0.1 for a user with a couple of assignments.
Instrumenting list_projects_for_user (https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L268), where each number is the time elapsed since the start of list_projects_for_user, I get:
list_projects_for_user 3.998 role_assignments
list_projects_for_user 3.999 project_ids
list_projects_for_user 4.105 list_projects
The time is spent on the call made to list_role_assignments on line 269 which in turns calls _list_effective_role_assignments at https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L986.
Listing role assignments for a user directly (with GET /role_assignments?user.id=<id>) is very fast, which is further indication that something in the effective role processing is the cause. I haven't yet timed the internal of _list_effective_role_assignments.
Running keystone newton (though I believe this would apply to master) with users in LDAP but roles and projects managed by keystone. |
With a large number of role assignments (e.g 500) it becomes very slow to list the projects a user has access to (via /users/<id>/projects). I'm seeing times of around 4 seconds versus 0.1 for a user with a couple of assignments.
Instrumenting list_projects_for_user (https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L268), where each number is the time elapsed since the start of list_projects_for_user, I get:
list_projects_for_user 3.998 role_assignments
list_projects_for_user 3.999 project_ids
list_projects_for_user 4.105 list_projects
The time is spent on the call made to list_role_assignments on line 269 which in turns calls _list_effective_role_assignments at https://github.com/openstack/keystone/blob/stable/newton/keystone/assignment/core.py#L986.
Listing role assignments for a user directly (with GET /role_assignments?user.id=<id>) is very fast, which is further indication that something in the effective role processing is the cause. I haven't yet timed the internal of _list_effective_role_assignments.
Running keystone mitaka (though I believe this would apply to master) with users in LDAP but roles and projects managed by keystone. |
|
