Keystone. Configuring cache for fernet tokens

Solution Verified - Updated

Environment

  • Red Hat OpenStack Platform 10
  • Red Hat OpenStack Platform 12
  • Red Hat OpenStack Platform 13
  • Red Hat OpenStack Platform 16.1 (please double-check notes in Resolution section)

Note. For RHOSP 13 and later releases please check This content is not included.RFE #1584529 that asks TripleO team to automate cache configuration for fernet tokens.

Related articles:

Issue

  • How to configure cache for fernet tokens?
  • Caching fernet tokens.

Resolution

Chapter 4.5. Puppet: Customizing Hieradata for Roles of RHOSP 10. Advanced overcloud customization guide describes general way to add extra configuration to existing overcloud templates. This chapter should be used as a reference to add the following ExtraConfig to existing templates (RHOSP 13 and older releases):

parameter_defaults:
  ExtraConfig:
    keystone::cache_enabled: true
    keystone::memcache_servers: 192.168.1.1:11211,192.168.1.2:11211,192.168.1.3:11211
    keystone::cache_backend: oslo_cache.memcache_pool
    keystone::token_caching: true

For RHOSP 16 it should look like:

parameter_defaults:
  ExtraConfig:
    keystone::cache_enabled: true
    keystone::cache_memcache_servers: 192.168.1.1:11211,192.168.1.2:11211,192.168.1.3:11211
    keystone::cache_backend: oslo_cache.memcache_pool
    keystone::token_caching: true

It is possible to get the IP addresses of memcache servers from hieradata or other service's configuration.

Root Cause

It is known that caching of fernet tokens provides 50%+ performance increase, but it also could break authentication service in case of any serious issue. RHOSP 10 documentation doesn't contain any details about configuring [cache] section in keystone.conf.

There is an official RHOSP10. Deploy Fernet on the Overcloud guide, but it doesn't contain any information about caching.

Diagnostic Steps

Any administrator of RHOSP environment that use fernet tokens and has performance issues should consider implementing this guide.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.