You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/06/02 01:50:00 UTC
[jira] [Work logged] (KNOX-2375) Token state eviction should access
the keystore file less frequently
[ https://issues.apache.org/jira/browse/KNOX-2375?focusedWorklogId=439849&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-439849 ]
ASF GitHub Bot logged work on KNOX-2375:
----------------------------------------
Author: ASF GitHub Bot
Created on: 02/Jun/20 01:49
Start Date: 02/Jun/20 01:49
Worklog Time Spent: 10m
Work Description: pzampino opened a new pull request #337:
URL: https://github.com/apache/knox/pull/337
… frequently
## What changes were proposed in this pull request?
The goal of these changes is to reduce the number of times during a token state reaper iteration that the keystore file is loaded and subsequently written. This change reduces that number from (1 + 2-to-4-per-token) to (1 + 0-to-1-per-token + 1). So, for 100 expired tokens and 100 unexpired tokens, that means going from 601 loads to 2 loads (if all the token state aliases are cached) or up to 202 in the absolute worst case when none of the token state aliases is cached.
Part of the solution includes adding bulk alias/key removal method to the AliasService and KeystoreService respectively.
## How was this patch tested?
I've added multiple tests to exercise these changes: AliasBasedTokenStateServiceTest, DefaultTokenStateServiceTest, DefaultKeystoreServiceTest, RemoteAliasServiceTest, and ZookeeperRemoteAliasServiceTest. I'm continuing manual testing, but wanted to get the review process started as soon as possible.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 439849)
Remaining Estimate: 0h
Time Spent: 10m
> Token state eviction should access the keystore file less frequently
> --------------------------------------------------------------------
>
> Key: KNOX-2375
> URL: https://issues.apache.org/jira/browse/KNOX-2375
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When the AliasBasedTokenStateService is employed, the TokenStateService reaper loads the keystore file (via the AliasService and KeyStoreService) very frequently.
> # It queries all the token-state-related aliases
> # For every token ID
> ## Looks up the token again (validateToken())
> ## Looks up the the token expiration
> ## Removes the token expiration alias
> ## Removes the token max lifetime alias
> This means the KeyStoreService loads the keystore file (1 + 2-to-4-per-token) times every eviction interval (default 5 minutes). That means, if there are 100 expired tokens and 100 unexpired tokens, the reaper will load the keystore file 601 times in one iteration.
> As the keystore file size increases, the already poor performance of loading this file degrades even more to the point that the token state reaper can consume 100% of the CPU.
> The reaper should operate on the in-memory token state as much as possible, and even remove expired token state in bulk (loading / writing the keystore file once for all).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)