Literate Database Example
source link: http://www.howardism.org/Technical/Emacs/literate-database-example.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Not knowing anything about the token properties in the Keystone database structure, I jumped into the database to expose a bit of the schema. What follows is a summary of my exploration as well as some recommendations we can use to ascertain its health.
First, here are the tables associated with the keystone
database:
SHOW tables;
Tables_in_keystone credential domain endpoint group group_domain_metadata group_project_metadata migrate_version policy project role service token trust trust_role user user_domain_metadata user_group_membership user_project_metadata
The user
table has the following schema:
SHOW columns FROM user;
Field Type Null Key Default Extra id varchar(64) NO PRI NULL name varchar(255) NO NULL extra text YES NULL password varchar(128) YES NULL enabled tinyint(1) YES NULL domain_id varchar(64) NO MUL NULL default_project_id varchar(64) YES NULL
Each person that connects to the Keystone service is given an entry
in the user
database. How many have logged in?
SELECT count(*) AS users FROM user;
users 40
Keep in mind that some of these entries are for the other OpenStack components and our CI accounts:
SELECT COUNT(*) as non_users FROM user WHERE extra LIKE '{"email": ""}';
non_users 21
An active user is given a token during the authentication
process, and that record is stored in the token
table.
Here is its schema:
SHOW columns FROM token;
Field Type Null Key Default Extra id varchar(64) NO PRI NULL expires datetime YES MUL NULL extra mediumtext YES NULL valid tinyint(1) NO NULL trust_id varchar(64) YES NULL user_id varchar(64) YES NULL
How many token entries are there at this time?
SELECT count(*) AS tokens FROM token;
tokens 1243
Is the expires
timestamp something that can be in the past?
SELECT count(*) AS expired FROM token WHERE expires < NOW();
expired 735
Clearly that is a lot of expired tokens. How old is the oldest expired token?
SELECT expires, (UNIX_TIMESTAMP(expires) - UNIX_TIMESTAMP(NOW()))/60 AS minutes_ago, (UNIX_TIMESTAMP(expires) - UNIX_TIMESTAMP(NOW()))/60/60 AS hours_ago FROM token ORDER BY expires DESC LIMIT 1
expires minutes_ago hours_ago 2015-04-10 20:14:49 1417.0000 23.61666667
That is almost 24 hours ago. Is that our policy? Actually, it is indeed a configurable policy. The default value is set to 24 hours, in case long running stories cache that token. If we think data storage is still an issue, we could lower that policy in order to force the excise of those expire tokens. If a system does cache it, the token can be renewed, or the script could be easily reset.
What is the token duration? According to the database entries,
this would be the value with the greatest expires
entry:
SELECT expires, (UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expires))/60/60 AS hours FROM token ORDER BY expires ASC LIMIT 1
expires hours 2015-04-09 05:59:28 14.63916667
Since we can easily re-new a token, why is that value so large? How many tokens are expiring in the next ten minutes? Are those tokens from normal users or from the other cluster components?
SELECT user.name AS soon_to_expire FROM token, user WHERE user.id = token.user_id AND expires > NOW() AND expires < DATE_ADD(NOW(), INTERVAL 10 MINUTE);
soon_to_expire casey.jones johnny.thunder ravi.shankar ravi.shankar ravi.shankar ravi.shankar johnny.thunder neutron
Clearly, this will depend on the activity of our system. We have someone here with two tokens. How many tokens are assigned to active user account?
SELECT user.name, count(token.id) AS tokens FROM token LEFT JOIN user ON user.id = token.user_id GROUP BY token.user_id ORDER BY tokens DESC
name tokens neutron 498 jazz.ci 214 johnny.thunder 113 wpc-buildadm 106 paul.mccartney 89 jazz.ci.gold 68 howard.abrams 49 megane.smith 32 mini.song 29 ravi.shankar 18 guido-ci 12 admin 6 adam.smith 4 casey.jones 2 glance 2 nova 1
I guess I can see why the neutron
account has the most tokens,
but normal user accounts seem to have quite a bit. Why? Are they
expired?
SELECT user.name, count(token.id) AS expired_tokens FROM token LEFT JOIN user ON user.id = token.user_id WHERE token.expires < NOW() GROUP BY token.user_id ORDER BY expired_tokens DESC
name expired_tokens neutron 247 jazz.ci 102 johnny.thunder 100 paul.mccartney 84 wpc-buildadm 53 howard.abrams 49 jazz.ci.gold 39 megane.smith 32 mini.song 10 ravi.shankar 8 admin 6 adam.smith 4 casey.jones 1
While it appears that most of the tokens are indeed expired, the non-expired tokens seem to be more than needed. But I guess that is just the OpenStack way.
The token
table has a valid
field that is either 1
or 0
.
How many tokens are invalid (equal to zero instead of one)? The
OpenStack documentation describes this field as revoked:
SELECT count(*) AS invalid FROM token WHERE valid = 0;
invalid 6
Which user has these invalid tokens. Are invalid tokens also
expired? No, since the expires
field can be either greater or
less than the current time:
SELECT name, expires, (UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expires))/60 AS minutes_when FROM token, user WHERE user.id = token.user_id AND valid = 0;
name expires minutes_when howard.abrams 2015-04-09 17:48:44 169.1000 howard.abrams 2015-04-09 17:48:52 168.9667 ravi.shankar 2015-04-09 16:03:14 274.6000 ravi.shankar 2015-04-09 20:40:05 -2.2500 howard.abrams 2015-04-09 17:48:42 169.1333 ravi.shankar 2015-04-09 17:40:52 176.9667
The revoked tokens can come about due to actually calling the Delete API on the token (even though I don’t remember doing anything like that with my account):
DELETE: /token/{token_id}
This API sets the valid field of token to false in the database
(1). Then the token is now called a revoked token. The code for
accessing and managing the revoked tokens are in
keystoneclient.middleware.auth_token
, so we might want to read the
code to see the details.
Note: Token revocation is often a side effect of some other operation. For example, changing a password revokes all tokens issued prior to the password change. Removing a role assignment from a user revokes all tokens that have that role assignment.
Does someone with invalid or revoked tokens also have valid tokens?
SELECT count(*) as howards_tokens FROM token, user WHERE token.user_id = user.id AND valid = 1 AND user.name = "howard.abrams"
howards_tokens 46
I guess so….
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK