openstack
/
keystone
Code Issues Proposed changes

Revert to caching fernet tokens the same way we do UUID 

In Liberty we used to cache the whole token at the provider manager
validate token call. However, in Mitaka we changed this, for
non-persistent tokens (e.g. fernet), to instead attempt to cache
the individual components that make up the token. This change caused
validating a fernet token to become 5 times slower than the same
operation in Liberty (as well as UUID in both releases).

This patches re-instates full-token caching for fernet. This should be
considered somewhat of a bandaid to redress the performance
degredation, while we work to restructure our token issuance
and validation to simplify the multiple code paths.

In terms of invalidation of such a cache, this change effectively
reverts to the Liberty approach where anything logged to the
revokation manager will still cause validaiton of the token to fail
(this is checked for all token types). However, the alternate (and
confusingly additonal) "direct" invalidation of the cache via
the pesistance manager will, like in Liberty, not have any
effect with cached fernet tokens. As far as I can tell, all
situations where we currently want a token revoked will send
this information to both the revoke and persistance managers,
hence this change should not result in any tokens remaining
valid when they shouldn't.

Closes-Bug: #1590179
Change-Id: I80371746735edac075eec9986e89b54b66bc47cb
(cherry picked from commit 9c89e07b11)
This commit is contained in:
Henry Nash 2016-06-07 06:34:21 +01:00 committed by Brant Knudson
parent 87d67946e7
commit a878664f5d
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
keystone/token/provider.py
View File

@ -287,6 +287,10 @@ class Manager(manager.Manager):
LOG.debug('Unable to validate token: %s', e)
raise exception.TokenNotFound(token_id=token_id)
@MEMOIZE
def validate_non_persistent_token(self, token_id):
return self.driver.validate_non_persistent_token(token_id)
@MEMOIZE
def _validate_token(self, token_id):
if not token_id:
@ -425,6 +429,10 @@ class Manager(manager.Manager):
self._validate_token.invalidate(self, token_id)
self._validate_v2_token.invalidate(self, token_id)
self._validate_v3_token.invalidate(self, token_id)
# This method isn't actually called in the case of non-persistent
# tokens, but we include the invalidation in case this ever changes
# in the future.
self.validate_non_persistent_token.invalidate(self, token_id)
def revoke_token(self, token_id, revoke_chain=False):
revoke_by_expires = False