[Neutron] Speed up access to neutron resources by indexing RBAC database columns "target_tenant" and "action"

Solution In Progress - Updated -

Issue

Two columns in the RBAC databases are referenced in queries but not indexed. This causes sub-optimal search performance.

Neutron provides role-based access control [2] to a set of resources (networks, QoS policies, security groups, address scopes, subnet pools and address groups). Each time those resources are requested using the Neutron API, the Neutron server performs a database request using the role ID of the user and the RBAC configuration for each resource. That triggers an SQL query like this one:

SELECT 
    networkrbacs.project_id AS networkrbacs_project_id,
    networkrbacs.id AS networkrbacs_id,
    networkrbacs.target_tenant AS networkrbacs_target_tenant,
    networkrbacs.action AS networkrbacs_action,
    networkrbacs.object_id AS networkrbacs_object_id,
    anon_1.networks_id AS anon_1_networks_id
FROM
    (SELECT 
        networks.id AS networks_id
    FROM
        networks
    LEFT OUTER JOIN networkrbacs ON networks.id = networkrbacs.object_id
    WHERE
        (networkrbacs.action = 'access_as_external'
            AND networkrbacs.target_tenant = 'd411a44c5fec4d4883e2648d1e34faf6'
            OR networkrbacs.target_tenant = '*'
            OR networks.project_id = 'd411a44c5fec4d4883e2648d1e34faf6'
            OR networkrbacs.action = 'access_as_shared'
            AND (networkrbacs.target_tenant = 'd411a44c5fec4d4883e2648d1e34faf6'
            OR networkrbacs.target_tenant = '*'))
            AND (EXISTS( SELECT 
                1
            FROM
                externalnetworks
            WHERE
                networks.id = externalnetworks.network_id))) AS anon_1
        INNER JOIN
    networkrbacs ON anon_1.networks_id = networkrbacs.object_id
ORDER BY anon_1.networks_idc

The issue with this SQL query is that currently no RBAC model indexes the "target_tenant" and "action" columns and the performance is suboptimal.

[2]https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/networking_guide/config-rbac-policies_rhosp-network

Environment

Any OpenStack environment before OSP18, that is OSP10, OSP13, OSP16.x and OSP17.x.

For OSP18 this solution won't be necessary because of [1], a patch introduced in upstream Yoga that provides an alembic migration that adds those indexes to all RBAC database tables.

[1]https://review.opendev.org/c/openstack/neutron/+/810072

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content