From 556c1a6633931207370106478fa2d155fbffb126 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Wed, 9 Sep 2015 22:38:04 +1000 Subject: Identity plugin thread safety A common case is for Nova (or other service) to create a service authentication plugin from a configuration file and then have many greenlet threads that want to reuse that authentication. If a token expires then many threads all try and fetch a new token to use and can step over each other. I was hoping for a way to put a lock in so that all plugins were thread safe however fixing it for identity plugins solves almost all real world situations and anyone doing non-identity plugins will have to manage threads themselves. Change-Id: Ib6487de7de638abc69660c851bd048a8ec177109 Closes-Bug: #1493835 --- doc/source/authentication-plugins.rst | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'doc') diff --git a/doc/source/authentication-plugins.rst b/doc/source/authentication-plugins.rst index 5afc0bc..89384a5 100644 --- a/doc/source/authentication-plugins.rst +++ b/doc/source/authentication-plugins.rst @@ -235,3 +235,10 @@ can be retrieved. The most simple example of a plugin is the :py:class:`keystoneclient.auth.token_endpoint.Token` plugin. + +When writing a plugin you should ensure that any fetch operation is thread +safe. A common pattern is for a service to hold a single service authentication +plugin globally and re-use that between all threads. This means that when a +token expires there may be multiple threads that all try to fetch a new plugin +at the same time. It is the responsibility of the plugin to ensure that this +case is handled in a way that still results in correct reauthentication. -- cgit v1.2.1