It was covered some here: http://lists.openstack.org/pipermail/openstack-dev/2015-July/069658.html and some graphs here: http://www.mattfischer.com/blog/?p=672
tl;dr is that having revoked tokens affects keystone token validation and tokens are validated on almost every API call unless you're using some caching. It's not a reason to skip this idea, but its something I'm wary of since I get the call whenever Keystone gets slow. Depending on how many revocations it generates, I might turn it off. To be honest I'm not sure how much this feature is used by our customers. On Tue, Aug 11, 2015 at 8:16 PM, Tony Breeds <t...@bakeyournoodle.com> wrote: > On Mon, Aug 10, 2015 at 07:16:43PM -0600, Matt Fischer wrote: > > > I'm not excited about making this the default until token revocations > don't > > impact performance the way that they do now. I don't know how often this > > would get exercised though, but the impact of 100+ token revokes is > > noticeable on every API call. > > I'm not certain what you mean here. Can you elaborate on where you're > seeing > token revocations impacting performance. The only place I can see we do > this > revocation/removal is in mirgrate and delete paths and certainly not on > every > API call. > > Yours Tony. > > _______________________________________________ > OpenStack-operators mailing list > openstack-operat...@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
