Revert to caching fernet tokens the same way we do UUID
In Liberty we used to cache the whole token at the provider manager validate token call. However, in Mitaka we changed this, for non-persistent tokens (e.g. fernet), to instead attempt to cache the individual components that make up the token. This change caused validating a fernet token to become 5 times slower than the same operation in Liberty (as well as UUID in both releases). This patches re-instates full-token caching for fernet. This should be considered somewhat of a bandaid to redress the performance degredation, while we work to restructure our token issuance and validation to simplify the multiple code paths. In terms of invalidation of such a cache, this change effectively reverts to the Liberty approach where anything logged to the revokation manager will still cause validaiton of the token to fail (this is checked for all token types). However, the alternate (and confusingly additonal) "direct" invalidation of the cache via the pesistance manager will, like in Liberty, not have any effect with cached fernet tokens. As far as I can tell, all situations where we currently want a token revoked will send this information to both the revoke and persistance managers, hence this change should not result in any tokens remaining valid when they shouldn't. Closes-Bug: #1590179 Change-Id: I80371746735edac075eec9986e89b54b66bc47cb
This commit is contained in:
parent
b4e2ce74f8
commit
9c89e07b11
|
@ -287,6 +287,10 @@ class Manager(manager.Manager):
|
|||
LOG.debug('Unable to validate token: %s', e)
|
||||
raise exception.TokenNotFound(token_id=token_id)
|
||||
|
||||
@MEMOIZE
|
||||
def validate_non_persistent_token(self, token_id):
|
||||
return self.driver.validate_non_persistent_token(token_id)
|
||||
|
||||
@MEMOIZE
|
||||
def _validate_token(self, token_id):
|
||||
if not token_id:
|
||||
|
@ -427,6 +431,10 @@ class Manager(manager.Manager):
|
|||
self._validate_token.invalidate(self, token_id)
|
||||
self._validate_v2_token.invalidate(self, token_id)
|
||||
self._validate_v3_token.invalidate(self, token_id)
|
||||
# This method isn't actually called in the case of non-persistent
|
||||
# tokens, but we include the invalidation in case this ever changes
|
||||
# in the future.
|
||||
self.validate_non_persistent_token.invalidate(self, token_id)
|
||||
|
||||
def revoke_token(self, token_id, revoke_chain=False):
|
||||
token_ref = token_model.KeystoneToken(
|
||||
|
|
Loading…
Reference in New Issue