Thank you very much for the explanation and for the articles. I will use Newton release of Keystone and Swift. Thanks a lot
Best regards, Alexandr On Sat, Dec 10, 2016 at 11:13 PM, Steve Martinelli <s.martine...@gmail.com> wrote: > Re-sending Matt's reply since he is not subscribed to this mailing list > and it bounced back. > > --------------------------- > > Matt Fischer wrote: > > Alexandr, > > I would not use Fernet without caching, but that said I strongly recommend > against UUID tokens for any reason. Make sure you setup caching on the > swift side & the keystone side. You could consider than an L1 and L2 cache > where from Swift's POV it's authtoken cache is L1 and keystone's cache is > L2. If you do that I believe the performance will be acceptable. > > The slowness comes when Keystone has to attempt to decrypt the uncached > tokens. > > Also if you're looking to squeeze out the last bit of performance from > your keystone, using the deprecated (and not tested in the gate) > Python-MySQL driver instead of pymsql is about 6% faster. That carries > risks as it's untested and becoming less widely used. We switched to > pymysql as has openstack-ansible and several other deployments. > > On Sat, Dec 10, 2016 at 3:23 PM, Steve Martinelli <s.martine...@gmail.com> > wrote: > >> On Sat, Dec 10, 2016 at 10:59 AM, Alexandr Porunov < >> alexandr.poru...@gmail.com> wrote: >> >>> Hello, >>> >>> I read a blog about performance comparison between fernet and uuid >>> tokens. They said that fernet tokens is 30% faster for creation but 400% >>> slower for validation. Is it true? >>> >>> >> I assume you are reading Dolph's blog post [1], that data is based off of >> the kilo branch, we've made some improvements to performance since then, he >> should probably do a follow up post for how the same performance tests run >> on Newton ;) >> >> Token validation can be improved using caching, which we worked on in >> Liberty, Mitaka and Newton (the latest Mitaka release (9.2.0) includes a >> critical performance fix, it was not backported to Liberty). Revocation >> events are still an issue for performance, but we've been addressing that >> in Ocata. I don't think we'll be able to backport the fixes for poor >> revocation performance though, unfortunately it goes against the backport >> policy. >> >> >> FWIW, Matt Fischer has 4 blog posts about using fernet tokens in >> production [2], they are very detailed and performance oriented. I really >> recommend reading them, it's great stuff. >> >> >> [1] http://dolphm.com/benchmarking-openstack-keystone-token-formats/ >> [2] https://www.mattfischer.com/blog/?tag=fernet >> >> >> stevemar >> >> >> >>> I want to use Keystone for Swift. I will have many requests with the >>> same tokens so I need faster validation than faster creation. I would use >>> uuid tokens but fernet tokens give us very good pros (we don't need to use >>> a database). So, I decided to cache all fernet tokens on the Swift Proxy >>> side for 30 minutes. Will the performance be the same for checking tokens >>> in a cache or fernet tokens will still be 400% slower? >>> >>> Sincerely, >>> Alexandr >>> >> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
