OpenStack Identity (keystone)

Common Ldap handler connection pooling

Bug #1320997 reported by Arun Kant
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Arun Kant
OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Currently LDAP API handler establishes new connection for identity data (user, group) lookup which becomes quite costly when TLS support is enabled.

In performance testing with 100 concurrent users, with OpenLdap as ldap server, we observed that ldap identity backend takes around 9-15 times more time (around 7-10 seconds) with respect to mysql identity backend. And 77% of time is spent in ldap data retrieval for authentication request.

So locally we tried to optimize ldap lookup by using connection pooling (https://pypi.python.org/pypi/ldappool/1.0) and that has improved performance numbers by 30%.

This request is to make similar enhancement in LDAP handler code to use connection pooling.

See original description
Arun Kant (arukant)
description: updated
Arun Kant (arukant)
Changed in keystone:
assignee: nobody → Arun Kant (arunkant-uws)
Dolph Mathews (dolph)
tags: added: performance
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/95300

Changed in keystone:
status: Triaged → In Progress
Arun Kant (arukant)
summary: - Identity Ldap driver connection pooling
+ Common Ldap handler connection pooling
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/95300
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ea689ff78f47ca762a4c46a726917b290c52cfef
Submitter: Jenkins
Branch: master

commit ea689ff78f47ca762a4c46a726917b290c52cfef
Author: Arun Kant <email address hidden>
Date: Fri May 23 15:25:38 2014 -0700

    Adding support for ldap connection pooling.

    Using ldappool library to establish connection pooling.
    Connection pooling is disabled by default.
    Pooling specific configuration parameters are added in ldap section.
    Added pool test using existing FakeLdap as connector class.
    Added pool specific ldap live test. These tests are executed similar to
    existing ldap live test.
    Addressed async search_s and result3 API issues mentioned in review.
    Added separate connection pool for end user auth bind done by keystone
    identity ldap driver logic to avoid saturation of pool by these kind of
    binds and limiting pool effectiveness for other ldap operations.
    Rebased with lastest master and addressed doc comments.

    Change-Id: If516a0d308a7f3be88df5583a30739a935076173
    Closes-Bug: #1320997
    bp: ldap-connection-pooling
    DocImpact

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → juno-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.