Two columns in the RBAC databases are referenced in queries but not indexed. This causes sub-optimal search performance.
Neutron provides role-based access control  to a set of resources (networks, QoS policies, security groups, address scopes, subnet pools and address groups). Each time those resources are requested using the Neutron API, the Neutron server performs a database request using the role ID of the user and the RBAC configuration for each resource. That triggers an SQL query like this one:
SELECT networkrbacs.project_id AS networkrbacs_project_id, networkrbacs.id AS networkrbacs_id, networkrbacs.target_tenant AS networkrbacs_target_tenant, networkrbacs.action AS networkrbacs_action, networkrbacs.object_id AS networkrbacs_object_id, anon_1.networks_id AS anon_1_networks_id FROM (SELECT networks.id AS networks_id FROM networks LEFT OUTER JOIN networkrbacs ON networks.id = networkrbacs.object_id WHERE (networkrbacs.action = 'access_as_external' AND networkrbacs.target_tenant = 'd411a44c5fec4d4883e2648d1e34faf6' OR networkrbacs.target_tenant = '*' OR networks.project_id = 'd411a44c5fec4d4883e2648d1e34faf6' OR networkrbacs.action = 'access_as_shared' AND (networkrbacs.target_tenant = 'd411a44c5fec4d4883e2648d1e34faf6' OR networkrbacs.target_tenant = '*')) AND (EXISTS( SELECT 1 FROM externalnetworks WHERE networks.id = externalnetworks.network_id))) AS anon_1 INNER JOIN networkrbacs ON anon_1.networks_id = networkrbacs.object_id ORDER BY anon_1.networks_idc
The issue with this SQL query is that currently no RBAC model indexes the "target_tenant" and "action" columns and the performance is suboptimal.
Any OpenStack environment before OSP18, that is OSP10, OSP13, OSP16.x and OSP17.x.
For OSP18 this solution won't be necessary because of , a patch introduced in upstream Yoga that provides an alembic migration that adds those indexes to all RBAC database tables.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.