02月21, 2017

keystone cache的理解

为什么要写这篇文档呢?是因为不理解keystone中缓存的使用的话,容易配置错误。

三个问题

  1. keystone中cache的使用场景。
  2. keystone中memcached的使用。
  3. 在keystone中不要将memcached和cache搞浑了。

在keystone中有两个地方可以使用MC(memcached):

  1. token的持久存储(Persistence storage)。
  2. cache。

先将结论写到这

token 使用memcache做persistence driver 和 做cache是不一样的。

  • 当使用memcache做persistence driver时就不再需要cache了(想一想memcached的最原始的用途就知道了,只是这里将它作为DB来用了)。
  • 当使用sql做persistence driver时,如果想加快token查询的速度就需要memcache、redis等cache层来加速了,这个时候memcached在这里才真正称得上是cache。

接下来,看下官方文档时如何解释的:

官方文档连接:http://docs.openstack.org/developer/keystone/configuration.html

Keystone supports customizable token persistence drivers. These can be specified in the [token]section of the configuration file. Keystone provides three non-test persistence backends. These can be set with the [token] driver configuration option. The drivers Keystone provides are:

  • memcache_pool - The pooled memcached token persistence engine. This backend supports the concept of pooled memcache client object (allowing for the re-use of the client objects). This backend has a number of extra tunable options in the [memcache] section of the config. Implemented by keystone.token.persistence.backends.memcache_pool.Token
  • sql - The SQL-based (default) token persistence engine. Implemented bykeystone.token.persistence.backends.sql.Token
  • memcache - The memcached based token persistence backend. This backend relies ondogpile.cache and stores the token data in a set of memcached servers. The servers URLs are specified in the [memcache] servers configuration option in the Keystone config. Implemented bykeystone.token.persistence.backends.memcache.Token

这里对于token的持久存储层,有两种memcache:

  • 一种是memcache_pool;
  • 另一种是memcache (a set of memcached servers)。

这两种还是有区别的。 第一种建议在不是Apache + mod_wsgi部署模式下使用。因为keystone默认是使用eventlet thread.local 实现并发的,会造成memcache client对象的泄露和额外的socket消耗。

Keystone supports a caching layer that is above the configurable subsystems (e.g. token, identity, etc). Keystone uses the dogpile.cache library which allows for flexible cache backends. The majority of the caching configuration options are set in the [cache] section. However, each section that has the capability to be cached usually has a caching boolean value that will toggle caching for that specific section. The current default behavior is that subsystem caching is enabled, but the global toggle is set to disabled.

cache层是为整个keystone项目提供的一个缓存层,不单单是为token提供,因此在过个配置section中都可以看到caching选项。

对于cache层有两点注意:

  • dogpile.cache.memoty 不适合用在生产环境中,仅限于测试使用。
  • 同persistence driver 在eventlet 环境下不适合用dogpile.cache.memcached。

注意: 当persistence driver使用memcached时[token]section下就不应该开启caching项了,因为对于使用memcached存储token来说再使用cache没有意义!

当前keystone中只有一下三种数据支持cache:

  • token

The token system has a separate cache_time configuration option, that can be set to a value above or below the global expiration_time default, allowing for different caching behavior from the other systems in Keystone. This option is set in the [token] section of the configuration file.The Token Revocation List cache time is handled by the configuration optionrevocation_cache_time in the [token] section. The revocation list is refreshed whenever a token is revoked. It typically sees significantly more requests than specific token retrievals or token validation calls.

  • resource

The resource system has a separate cache_time configuration option, that can be set to a value above or below the global expiration_time default, allowing for different caching behavior from the other systems in Keystone. This option is set in the[resource] section of the configuration file. Currently resource has caching for project and domain specific requests (primarily around the CRUD actions). The list_projects and list_domains methods are not subject to caching.

  • role

Currently role has caching for get_role, but not for list_roles. The role system has a separate cache_time configuration option, that can be set to a value above or below the global expiration_time default, allowing for different caching behavior from the other systems in Keystone. This option is set in the [role] section of the configuration file.

各个组件token的cache及配置

由于openstack中的各个api都是wsgi服务,并且都用到了keystoneclient提供的一个中间件(wsgi filter)auth_token,对应的文件位于:


该中间件采用memcache来缓存token的相关信息到本地,从而减少各服务对keystone的直接访问。

处理逻辑基本上就是:

1. 首先在各个服务的memcache中查找token。
2. 如果在memcached中找到token则验证是否过期,没有过期则将缓存内容返回,如果过期则会抛出认证失败异常。
3. 如果没有找到则需要向keystone发送验证token请求。验证通过则返回token的数据data,并插入组件本地缓存中。

验证不通过则抛出验证失败异常。
```keystoneclient/middleware/auth_token.py``` 这个组件使用了新的项目```keystonemiddleware/auth_token.py

以NOVA为例简单解释下验证的流程:

流程一: 第一次请求:

  • nova 服务的memcached中还没有token。
  • nova首先向keystone请求token。
  • keystone此时后端存储中也没有该请求的token,则返回NOVA token的同时存储token到 keystone的memcached(或者sql)中。
  • NOVA拿到新的token后,通过验证组件验证token。
  • 验证组件首先去NOVA的memcached中查询该token是否存在(这里肯定不存在,因为是第一次请求嘛,对吧O(∩_∩)O哈哈~)。
  • 不存在则它就将这个新的token存储到NOVA 的memcached中,并标识验证通过,返回缓存的数据。
  • 到此,整个请求结束,之后的流程见流程二。 alt

流程二: NOVA服务的memcached已经缓存了token

  • NOVA 服务拿着token去验证组件验证token。
  • 首先去NOVA的memcached中取出该token的数据。
  • 然后,验证token是否过期(expiration)。过期则将该token在memcached中revoke,并抛出验证失败异常,否则取出相应的数据并返回。 alt

默认情况下缓存并未启用

为此,添加如下配置到nova.conf、cinder.conf等

[keystone_authtoken]
auth_uri = http://keystone_server:5000/
auth_host = keystone_server
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = password
memcache_servers = 127.0.0.1:11211
token_cache_time = 3600 #token本地缓存的失效时间设置为1个小时。
cache = true

本文链接:https://www.opsdev.cn/post/keystone-cache.html

-- EOF --

Comments

评论加载中...

注:如果长时间无法加载,请针对 disq.us | disquscdn.com | disqus.com 启用代理。