You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/08/25 23:48:00 UTC
[jira] [Work logged] (ARTEMIS-2886) Optimize security auth
[ https://issues.apache.org/jira/browse/ARTEMIS-2886?focusedWorklogId=474572&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-474572 ]
ASF GitHub Bot logged work on ARTEMIS-2886:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 25/Aug/20 23:47
Start Date: 25/Aug/20 23:47
Worklog Time Spent: 10m
Work Description: jbertram opened a new pull request #3246:
URL: https://github.com/apache/activemq-artemis/pull/3246
Both authentication and authorization will hit the underlying security
repository (e.g. files, LDAP, etc.). For example, creating a JMS
connection and a consumer will result in 2 hits with the *same*
authentication request. This can cause unwanted (and unnecessary)
resource utilization, especially in the case of networked configuration
like LDAP.
There is already a rudimentary cache for authorization, but it is
cleared *totally* every 10 seconds by default (controlled via the
security-invalidation-interval setting), and it must be populated
initially which still results in duplicate auth requests.
This commit optimizes authentication and authorization via the following
changes:
- Replace our home-grown cache with Google Guava's cache. This provides
simple caching with both time-based and size-based LRU eviction. See more
at https://github.com/google/guava/wiki/CachesExplained. I also thought
about using Caffeine, but we already have a dependency on Guava and the
cache implementions look to be negligibly different for this use-case.
- Add caching for authentication. Both successful and unsuccessful
authentication attempts will be cached to spare the underlying security
repository as much as possible. Authenticated Subjects will be cached
and re-used whenever possible.
- Authorization will used Subjects cached during authentication. If the
required Subject is not in the cache it will be fetched from the
underlying security repo.
- Caching can be disabled by setting the security-invalidation-interval
to 0.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 474572)
Remaining Estimate: 0h
Time Spent: 10m
> Optimize security auth
> ----------------------
>
> Key: ARTEMIS-2886
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2886
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Both authentication and authorization will hit the underlying security repository (e.g. files, LDAP, etc.). For example, creating a JMS connection and a consumer will result in 2 hits with the *same* authentication request. This can cause unwanted (and unnecessary) resource utilization, especially in the case of networked configuration like LDAP.
> There is a rudimentary cache for authorization, but it is cleared *totally* every 10 seconds by default (controlled via the {{security-invalidation-interval setting}}), and it must be populated initially which still results in duplicate auth requests.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)