OpenStack Identity (keystone)

enabled_emulation greatly reduces keystone performance

Bug #1299033 reported by Matt Fischer
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Triaged
Low
Unassigned

Bug Description

When enabled_emulation is enabled, the performance of Keystone suffers greatly. I see a approx 4x slower result when it is enabled. I discussed this some in my blog post (http://www.mattfischer.com/blog/?p=561) and was asked to file a bug by Yuriy. Here are some results. Each query had about 20 results, but I've removed them since it has private emails and what not.

enabled_emulation off:

root@j1:~# time keystone user-list
+--------------+--------------+---------+---------------------------+
| id | name | enabled | email |
+--------------+--------------+---------+---------------------------+
| admin | admin | True | |
...
+--------------+--------------+---------+---------------------------+

real 0m2.767s
user 0m0.380s
sys 0m0.284s

enabled_emulation on:

root@j1:~# time keystone user-list
+--------------+--------------+---------+---------------------------+
| id | name | enabled | email |
+--------------+--------------+---------+---------------------------+
| admin | admin | True | |
...
+--------------+--------------+---------+---------------------------+

real 0m9.099s
user 0m0.508s
sys 0m0.084s

Similar results happen for tenant enabled emulation.

My LDAP box is a Free IPA server running on CentOS if that matters.

I'm running Keystone 2013.2.2-0ubuntu1~cloud0

Dolph Mathews (dolph)
tags: added: performance
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
tags: added: ldap
Revision history for this message
Steve Martinelli (stevemar) wrote :

There hasn't been any analysis of this, I'm wondering how many others are affected by this issue? Maybe we should look at removing the enabled emulation option? Does ldappool make the performance better?

Revision history for this message
Matt Fischer (mfisch) wrote :

ldappool may help but I'm guessing that absolutely zero people use this. Wasn't there also a change between this version and now that told ldap not to load all the attributes for an object?

Revision history for this message
Matt Fischer (mfisch) wrote :

In case that was not clear +1 to remove. Should discuss in Austin.

Revision history for this message
Matt Fischer (mfisch) wrote :

Love that I keep commenting to myself but my blog post has more details and some analysis by nkinder:

http://www.mattfischer.com/blog/?p=561

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This is being de-prioritized and tagged "ldap-legacy". New (py3) compat LDAP code will be based on ldap3 library and will be a new driver. There is not a huge win in fixing this unless that initiative goes south.

Until the new driver exists though, this cannot be closed as "wont fix" since the current code is not "deprecated" yet.

tags: added: ldap-legacy
Changed in keystone:
importance: Medium → Low
Revision history for this message
s10 (vlad-esten) wrote :

As of Queens, this bug still exists. user_enabled_emulation makes user list 4x slower.

Environment:
keystone 13.0.2
python-ldappool 2.4.0
python-ldap 3.1.0

Revision history for this message
Douglas Mendizábal (dougmendizabal) wrote :

Matt's blog appears to be offline now (no surprise as it's many years later). There is an archive of the post: http://web.archive.org/web/20141014110644/http://www.mattfischer.com/blog/?p=561

tags: added: reviewed-bobcat
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.