75abc21ecf
The RevokeTree was built out of an attempt to optimize the search for a match between a candidate token and the list of revocation events. The performance proved to be poor, mostly due to the cost of creating and checking hash values. The RevokeTree code is also so complex that most of the team could not understand it or troubleshoot it. There are some subtle bugs due to race conditions with revocation events, and it is impossible to track them down due to the code complexity. This change replaces the tree based search with a linear search through the list of revocation events. A failure-to-match will pass through the entire list. A revoked token should match on O(n/2) comparisons. With the past year of Fernet tokens in deployment, the feedback is that the number of revocation events is small, and they only are kept for the lifetime of the tokens (usually 1-8 hours) so the linear search is not expected to slow down token validations in live deployments. Future work will also reduce the number of revocation events. Change-Id: Ib6a686494e897840b09d134ecf1ca50ce712f281
78 lines
3.1 KiB
Python
78 lines
3.1 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from keystone import assignment
|
|
from keystone import auth
|
|
from keystone import catalog
|
|
from keystone.common import cache
|
|
from keystone import credential
|
|
from keystone import endpoint_policy
|
|
from keystone import federation
|
|
from keystone import identity
|
|
from keystone import oauth1
|
|
from keystone import policy
|
|
from keystone import resource
|
|
from keystone import revoke
|
|
from keystone import token
|
|
from keystone import trust
|
|
|
|
|
|
def load_backends():
|
|
|
|
# Configure and build the cache
|
|
cache.configure_cache()
|
|
cache.configure_cache(region=catalog.COMPUTED_CATALOG_REGION)
|
|
cache.apply_invalidation_patch(
|
|
region=catalog.COMPUTED_CATALOG_REGION,
|
|
region_name=catalog.COMPUTED_CATALOG_REGION.name)
|
|
cache.configure_cache(region=assignment.COMPUTED_ASSIGNMENTS_REGION)
|
|
cache.apply_invalidation_patch(
|
|
region=assignment.COMPUTED_ASSIGNMENTS_REGION,
|
|
region_name=assignment.COMPUTED_ASSIGNMENTS_REGION.name)
|
|
cache.configure_cache(region=revoke.REVOKE_REGION)
|
|
cache.apply_invalidation_patch(region=revoke.REVOKE_REGION,
|
|
region_name=revoke.REVOKE_REGION.name)
|
|
|
|
# Ensure that the identity driver is created before the assignment manager
|
|
# and that the assignment driver is created before the resource manager.
|
|
# The default resource driver depends on assignment, which in turn
|
|
# depends on identity - hence we need to ensure the chain is available.
|
|
# TODO(morganfainberg): In "O" release move _IDENTITY_API to be directly
|
|
# instantiated in the DRIVERS dict once assignment driver being selected
|
|
# based upon [identity]/driver is removed.
|
|
_IDENTITY_API = identity.Manager()
|
|
_ASSIGNMENT_API = assignment.Manager()
|
|
|
|
DRIVERS = dict(
|
|
assignment_api=_ASSIGNMENT_API,
|
|
catalog_api=catalog.Manager(),
|
|
credential_api=credential.Manager(),
|
|
domain_config_api=resource.DomainConfigManager(),
|
|
endpoint_policy_api=endpoint_policy.Manager(),
|
|
federation_api=federation.Manager(),
|
|
id_generator_api=identity.generator.Manager(),
|
|
id_mapping_api=identity.MappingManager(),
|
|
identity_api=_IDENTITY_API,
|
|
shadow_users_api=identity.ShadowUsersManager(),
|
|
oauth_api=oauth1.Manager(),
|
|
policy_api=policy.Manager(),
|
|
resource_api=resource.Manager(),
|
|
revoke_api=revoke.Manager(),
|
|
role_api=assignment.RoleManager(),
|
|
token_api=token.persistence.Manager(),
|
|
trust_api=trust.Manager(),
|
|
token_provider_api=token.provider.Manager())
|
|
|
|
auth.controllers.load_auth_methods()
|
|
|
|
return DRIVERS
|