67b5cca032
Validating an application credential token is very slow, taking at least 400ms+ in a simple devstack environment, 5-10x longer than validating a user/password project token. The primary bottleneck during a token validation request (/v3/auth/tokens) is that token.roles is evaluated at least 5 times. validate_token is called twice, first during RBAC to populate the subject token context and again to actually validate the token. Each call to validate_token then called token.roles twice because it first checks if it is None, before calling it again to use the result. Lastly token.roles is evaluated a fifth time during render_token_response_from_model. Each evaluation of token.roles calls through _get_application_credential_roles into list_role_assignments which then makes multiple round-trip SQL queries to the database. Unlike the related get_roles_for_user_and_project function, none of these calls are currently cached/memoized. We memoize list_role_assignments to get the same-speedup. Reduce the number of token.roles calls to only 3 by storing and re-using the token.roles result in validate_token, then memoize list_role_assignments so the 2nd and 3rd call fetch from the cache instead of repeating many SQL queries. This provides a substantial performance improvement bringing validation time in-line with user/password tokens. Change-Id: I8c45131b298ceae7b43b42e2c5df167607d18c48 |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| receipt_model.py | ||
| revoke_model.py | ||
| token_model.py | ||