[ovirt-users] slow kerberos authentication
Juan Hernández
jhernand at redhat.com
Fri May 12 09:52:25 UTC 2017
On 05/12/2017 11:45 AM, Juan Hernández wrote:
> On 05/12/2017 10:04 AM, Yaniv Kaul wrote:
>>
>>
>> On May 11, 2017 8:25 PM, "Fabrice Bacchella"
>> <fabrice.bacchella at orange.fr <mailto:fabrice.bacchella at orange.fr>> wrote:
>>
>> I'm using kerberos authentication in ovirt for the URL
>> /sso/oauth/token-http-auth, but kerberos is done in Apache using
>> auth_gssapi_module and it's quite slow, about 6s for a request.
>>
>> I'm trying to understand if it's apache or ovirt-engine that are
>> slow. Is there a way to get response time metered for http requests
>> inside ovirt instead of seen from apache ?
>>
>>
>> In 4.1, look under /var/log/httpd, there should be an ovirt specific log
>> file for exactly this - end to end latency of requests.
>> Y.
>>
>
> The name of that file is 'ovirt-requests-log', and it contains messages
> like this:
>
> [12/May/2017:11:09:30 +0200] 192.168.122.1 "Correlation-Id:
> 9e259b75-ee9e-4501-9737-b38d2c318123" "Duration: 393514us" "GET
> /ovirt-engine/api/vms HTTP/1.1" 2322
>
> Note however that it is generated by the web server, so the reported
> time will include all the web server activities required to complete the
> request.
>
> If you need to get the same measurement from the point of view of the
> application server you can edit the
> /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in file
> and do the following modifications:
>
> 1. Modify the AJP connector (the one that Apache talks to) so that it
> records the start time of the request:
>
> <ajp-listener
> name="ajp"
> socket-binding="ajp"
> redirect-socket="redirect"
> record-request-start-time="true" <-- This is new
> />
>
> 2. Enable the access log:
>
> <host name="default-host" alias="localhost">
> <filter-ref .../>
> <access-log pattern="%U %Dms" directory="/var/log/ovirt-engine"
> prefix="my" suffix=".log"/> <-- This is new
> </host>
>
> Then restart the engine. It will start to write to
> /var/log/ovirt-engine/my.log lines like this:
>
> /ovirt-engine/api/vms 801ms
>
> The format of the pattern is described here:
>
> http://undertow.io/javadoc/1.4.x/index.html
>
Actually here:
http://undertow.io/javadoc/1.4.x/io/undertow/server/handlers/accesslog/AccessLogHandler.html
> Remember that the ovirt-engine.xml.in file isn't considered a
> configuration file, so your changes will be lost next time you update
> the engine RPMs.
>
More information about the Users
mailing list