Keystone's performance degrades as the `revocation_event` table grows
in size. This patch reduces the total number of events written to the
table by not persisting events when a domain or project is disabled.
The main reason for persisting a revocation event when a project or
domain is disabled is to make sure tokens associated to those targets
are considered invalid. Instead of relying on revocation events, we
can check if the project or domain is enabled when we validate the
token. We take the same approach when we validate a user's role
assignments instead of relying on an ever-growing database table.
Reviewed: https:/ /review. openstack. org/253273 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=8eb29c37d1a 5163d4f485c5593 99a4b82969e21e
Committed: https:/
Submitter: Zuul
Branch: master
commit 8eb29c37d1a5163 d4f485c559399a4 b82969e21e
Author: Jorge Munoz <email address hidden>
Date: Fri Nov 24 22:59:32 2017 +0000
Validate disabled domains and projects online
Keystone's performance degrades as the `revocation_event` table grows
in size. This patch reduces the total number of events written to the
table by not persisting events when a domain or project is disabled.
The main reason for persisting a revocation event when a project or
domain is disabled is to make sure tokens associated to those targets
are considered invalid. Instead of relying on revocation events, we
can check if the project or domain is enabled when we validate the
token. We take the same approach when we validate a user's role
assignments instead of relying on an ever-growing database table.
Co-Authored-By: Lance Bragstad <email address hidden>
Closes-Bug: 1524030 9f2af88ef9b6b98 b8c379e7406
Change-Id: I76330567e0df2d