[ovirt-users] slow kerberos authentication

Juan Hernández jhernand at redhat.com
Fri May 12 09:45:50 UTC 2017


On 05/12/2017 10:04 AM, Yaniv Kaul wrote:
> 
> 
> On May 11, 2017 8:25 PM, "Fabrice Bacchella"
> <fabrice.bacchella at orange.fr <mailto:fabrice.bacchella at orange.fr>> wrote:
> 
>     I'm using kerberos authentication in ovirt for the URL
>     /sso/oauth/token-http-auth, but kerberos is done in Apache using
>     auth_gssapi_module and it's quite slow, about 6s for a request.
> 
>     I'm trying to understand if it's apache or ovirt-engine that are
>     slow. Is there a way to get response time metered for http requests
>     inside ovirt instead of seen from apache ?
> 
> 
> In 4.1, look under /var/log/httpd, there should be an ovirt specific log
> file for exactly this - end to end latency of requests. 
> Y. 
> 

The name of that file is 'ovirt-requests-log', and it contains messages
like this:

  [12/May/2017:11:09:30 +0200] 192.168.122.1 "Correlation-Id:
9e259b75-ee9e-4501-9737-b38d2c318123" "Duration: 393514us" "GET
/ovirt-engine/api/vms HTTP/1.1" 2322

Note however that it is generated by the web server, so the reported
time will include all the web server activities required to complete the
request.

If you need to get the same measurement from the point of view of the
application server you can edit the
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in file
and do the following modifications:

1. Modify the AJP connector (the one that Apache talks to) so that it
records the start time of the request:

  <ajp-listener
    name="ajp"
    socket-binding="ajp"
    redirect-socket="redirect"
    record-request-start-time="true"  <-- This is new
  />

2. Enable the access log:

  <host name="default-host" alias="localhost">
    <filter-ref .../>
    <access-log pattern="%U %Dms" directory="/var/log/ovirt-engine"
prefix="my" suffix=".log"/>  <-- This is new
  </host>

Then restart the engine. It will start to write to
/var/log/ovirt-engine/my.log lines like this:

  /ovirt-engine/api/vms 801ms

The format of the pattern is described here:

  http://undertow.io/javadoc/1.4.x/index.html

Remember that the ovirt-engine.xml.in file isn't considered a
configuration file, so your changes will be lost next time you update
the engine RPMs.


More information about the Users mailing list