openstack
/
keystone
Code Issues Proposed changes
OpenStack Identity (Keystone)
14,887 Commits 9 Branches 41 Tags 231 MiB
Python 99.5%
Shell 0.5%
Go to file
Trent Lloyd 67b5cca032 Improve application credential validation speed 
Validating an application credential token is very slow, taking at least
400ms+ in a simple devstack environment, 5-10x longer than validating a
user/password project token.

The primary bottleneck during a token validation request
(/v3/auth/tokens) is that token.roles is evaluated at least 5 times.
validate_token is called twice, first during RBAC to populate the
subject token context and again to actually validate the token. Each
call to validate_token then called token.roles twice because it first
checks if it is None, before calling it again to use the result. Lastly
token.roles is evaluated a fifth time during
render_token_response_from_model.

Each evaluation of token.roles calls through
_get_application_credential_roles into list_role_assignments which then
makes multiple round-trip SQL queries to the database.

Unlike the related get_roles_for_user_and_project function, none of
these calls are currently cached/memoized. We memoize
list_role_assignments to get the same-speedup.

Reduce the number of token.roles calls to only 3 by storing and re-using
the token.roles result in validate_token, then memoize
list_role_assignments so the 2nd and 3rd call fetch from the cache
instead of repeating many SQL queries.

This provides a substantial performance improvement bringing validation
time in-line with user/password tokens.

Change-Id: I8c45131b298ceae7b43b42e2c5df167607d18c48
 		2024-01-02 08:46:24 +00:00
api-ref/source Merge "api-ref: Correct app credentials auth response" 2023-07-10 13:59:54 +00:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Update keystone gates to use jammy 2023-09-08 13:39:31 -05:00
doc Merge "doc: Update the installtion guide for RHEL8/CentOS8 and RHEL9/CentOS9" 2023-11-10 20:22:53 +00:00
etc Fix outdated default catalog template 2023-03-31 18:12:21 +09:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd Remove admin interface in sample Apache file 2018-03-24 12:56:02 +01:00
keystone Improve application credential validation speed 2024-01-02 08:46:24 +00:00
keystone_tempest_plugin Replace git.openstack.org URLs with opendev.org URLs 2019-04-24 11:51:00 +08:00
playbooks Add FIPS check job 2021-08-04 14:25:06 -04:00
rally-jobs fix rally docs url 2018-05-21 16:24:51 +08:00
releasenotes Merge "Update master for stable/2023.2" 2023-11-07 18:33:01 +00:00
tools db: Remove legacy migrations 2023-02-28 17:26:39 +00:00
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Tell reno to ignore the kilo branch 2020-02-21 13:51:02 -05:00
.gitreview OpenDev Migration Patch 2019-04-19 19:30:29 +00:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.stestr.conf Migrate to stestr 2017-09-22 11:07:09 -05:00
.zuul.yaml Update keystone gates to use jammy 2023-09-08 13:39:31 -05:00
CONTRIBUTING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
HACKING.rst Merge "Update links in keystone" 2017-10-06 16:10:56 +00:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
README.rst Moving IRC network reference to OFTC 2021-07-16 13:58:33 +00:00
babel.cfg setting up babel for i18n work 2012-06-21 18:03:09 -07:00
bindep.txt Fix bindep.txt for python 3.11 job(Debian Bookworm) 2023-11-29 12:41:29 +09:00
reno.yaml Tell reno to ignore the kilo branch 2020-02-21 13:51:02 -05:00
requirements.txt db: Remove legacy migrations 2023-02-28 17:26:39 +00:00
setup.cfg Update python testing as per zed cycle teting runtime 2022-05-10 19:30:04 -05:00
setup.py Cleanup py27 support 2020-04-08 08:37:30 +02:00
test-requirements.txt Stop pinning pep8 related packages 2023-10-02 15:41:36 -05:00
tox.ini Stop pinning pep8 related packages 2023-10-02 15:41:36 -05:00

README.rst

OpenStack Keystone

image

OpenStack Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://docs.openstack.org/api-ref/identity

The canonical client library is available at:

https://opendev.org/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://opendev.org/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Release notes is available at:

https://docs.openstack.org/releasenotes/keystone

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on OFTC):

https://wiki.openstack.org/wiki/IRC

Source for the project:

https://opendev.org/openstack/keystone

For information on contributing to Keystone, see CONTRIBUTING.rst.