You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Philip Zampino (Jira)" <ji...@apache.org> on 2020/06/04 02:07:00 UTC
[jira] [Resolved] (KNOX-2375) Token state eviction should access
the keystore file less frequently
[ https://issues.apache.org/jira/browse/KNOX-2375?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Philip Zampino resolved KNOX-2375.
----------------------------------
Resolution: Fixed
> Token state eviction should access the keystore file less frequently
> --------------------------------------------------------------------
>
> Key: KNOX-2375
> URL: https://issues.apache.org/jira/browse/KNOX-2375
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> When the AliasBasedTokenStateService is employed, the TokenStateService reaper loads the keystore file (via the AliasService and KeyStoreService) very frequently.
> # It queries all the token-state-related aliases
> # For every token ID
> ## Looks up the token again (validateToken())
> ## Looks up the the token expiration
> ## Removes the token expiration alias
> ## Removes the token max lifetime alias
> This means the KeyStoreService loads the keystore file (1 + 2-to-4-per-token) times every eviction interval (default 5 minutes). That means, if there are 100 expired tokens and 100 unexpired tokens, the reaper will load the keystore file 601 times in one iteration.
> As the keystore file size increases, the already poor performance of loading this file degrades even more to the point that the token state reaper can consume 100% of the CPU.
> The reaper should operate on the in-memory token state as much as possible, and even remove expired token state in bulk (loading / writing the keystore file once for all).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)