Keystone reads users from LDAP too slow
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Mirantis OpenStack | Status tracked in 10.0.x | |||||
10.0.x |
Confirmed
|
High
|
Unassigned | |||
7.0.x |
Won't Fix
|
High
|
Boris Bobrov | |||
8.0.x |
Won't Fix
|
High
|
Boris Bobrov | |||
9.x |
Won't Fix
|
High
|
Boris Bobrov |
Bug Description
I've deployed MOS 7.0 with Fuel Keystone LDAP plugin and tried to list users with Horizon. Everything works slow, but fine and there were no errors.
After that I've created 5K users in the LDAP. Somewhere after 1.5K users Horizon requests to Keystone started to failing with timeout error.
When Horizon is waiting for Keystone response, a I see in Keystone logs (/var/log/
`2015-09-17 11:37:47.990 12575 DEBUG keystone.
2015-09-17 11:37:47.991 12575 DEBUG keystone.
After that I've deleted almost all users from LDAP (there left only auto_user0, auto_user1 and auto_user10 and admin users) and tried to fetch them again with Horizon. And I've got the same lines:
2015-09-17 11:37:47.969 12575 DEBUG keystone.
2015-09-17 11:37:47.978 12575 DEBUG keystone.
2015-09-17 11:37:47.980 12575 DEBUG keystone.
2015-09-17 11:37:47.982 12575 DEBUG keystone.
2015-09-17 11:37:47.989 12575 DEBUG keystone.
2015-09-17 11:37:47.990 12575 DEBUG keystone.
2015-09-17 11:37:47.991 12575 DEBUG keystone.
2015-09-17 11:37:47.998 12575 DEBUG keystone.
2015-09-17 11:37:48.000 12575 DEBUG keystone.
2015-09-17 11:37:48.001 12575 DEBUG keystone.
2015-09-17 11:37:48.009 12575 DEBUG keystone.
2015-09-17 11:37:48.011 12575 DEBUG keystone.
2015-09-17 11:37:48.012 12575 DEBUG keystone.
2015-09-17 11:37:48.019 12575 DEBUG keystone.
2015-09-17 11:37:48.020 12575 DEBUG keystone.
2015-09-17 11:37:48.021 12575 DEBUG keystone.
The problem is users auto_user-1070 , auto_user-1069, auto_user-1067, etc are no more present in LDAP. And even after 24 hours after users has been deleted from LDAP there are a lot of lines where Keystone says that it maps these users. And looks like while Keystone maps users, Horizon is waiting fore response. So, even if LDAP has not so much users, Horizon can't get a response from Keystone for listing users and fails with timeout.
Here is how LDAP is configured with Keystone:
/etc/keystone/
[ldap]
user_allow_
user=cn=
user_filter=
user_name_
user_pass_
user_enabled_
suffix=
password=Pass1234
url=ldap:
user_allow_
user_allow_
user_objectclas
user_tree_
query_scope=sub
user_id_
debug_level=-1
page_size = 50
[identity]
driver=
description: | updated |
Changed in mos: | |
status: | New → Confirmed |
description: | updated |
summary: |
- Keystone loggs that it maps already non-existent users + Keystone logs that it maps already non-existent users |
summary: |
- Keystone logs that it maps already non-existent users + Keystone reads users from LDAP too slowly |
summary: |
- Keystone reads users from LDAP too slowly + Keystone reads users from LDAP too slow |
tags: | added: customer-found |
tags: | added: area-keystone move-to-9.0 |
tags: | added: enhancement |
tags: | added: release-notes |
Changed in mos: | |
status: | In Progress → Won't Fix |
tags: | added: wontfix-feature |
tags: |
added: 8.0 release-notes-done removed: release-notes |
We've decided to implement limiting. The implementation is traced in PROD-2000