[ovirt-users] slow kerberos authentication

Juan Hernández jhernand at redhat.com
Fri May 12 09:52:25 UTC 2017 

On 05/12/2017 11:45 AM, Juan Hernández wrote:
> On 05/12/2017 10:04 AM, Yaniv Kaul wrote:
>>
>>
>> On May 11, 2017 8:25 PM, "Fabrice Bacchella"
>> <fabrice.bacchella at orange.fr <mailto:fabrice.bacchella at orange.fr>> wrote:
>>
>>     I'm using kerberos authentication in ovirt for the URL
>>     /sso/oauth/token-http-auth, but kerberos is done in Apache using
>>     auth_gssapi_module and it's quite slow, about 6s for a request.
>>
>>     I'm trying to understand if it's apache or ovirt-engine that are
>>     slow. Is there a way to get response time metered for http requests
>>     inside ovirt instead of seen from apache ?
>>
>>
>> In 4.1, look under /var/log/httpd, there should be an ovirt specific log
>> file for exactly this - end to end latency of requests. 
>> Y. 
>>
> 
> The name of that file is 'ovirt-requests-log', and it contains messages
> like this:
> 
>   [12/May/2017:11:09:30 +0200] 192.168.122.1 "Correlation-Id:
> 9e259b75-ee9e-4501-9737-b38d2c318123" "Duration: 393514us" "GET
> /ovirt-engine/api/vms HTTP/1.1" 2322
> 
> Note however that it is generated by the web server, so the reported
> time will include all the web server activities required to complete the
> request.
> 
> If you need to get the same measurement from the point of view of the
> application server you can edit the
> /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in file
> and do the following modifications:
> 
> 1. Modify the AJP connector (the one that Apache talks to) so that it
> records the start time of the request:
> 
>   <ajp-listener
>     name="ajp"
>     socket-binding="ajp"
>     redirect-socket="redirect"
>     record-request-start-time="true"  <-- This is new
>   />
> 
> 2. Enable the access log:
> 
>   <host name="default-host" alias="localhost">
>     <filter-ref .../>
>     <access-log pattern="%U %Dms" directory="/var/log/ovirt-engine"
> prefix="my" suffix=".log"/>  <-- This is new
>   </host>
> 
> Then restart the engine. It will start to write to
> /var/log/ovirt-engine/my.log lines like this:
> 
>   /ovirt-engine/api/vms 801ms
> 
> The format of the pattern is described here:
> 
>   http://undertow.io/javadoc/1.4.x/index.html
> 

Actually here:


http://undertow.io/javadoc/1.4.x/io/undertow/server/handlers/accesslog/AccessLogHandler.html

> Remember that the ovirt-engine.xml.in file isn't considered a
> configuration file, so your changes will be lost next time you update
> the engine RPMs.
>

More information about the Users mailing list