You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/06/04 01:11:00 UTC

[jira] [Commented] (KNOX-2375) Token state eviction should access the keystore file less frequently

    [ https://issues.apache.org/jira/browse/KNOX-2375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17125444#comment-17125444 ] 

ASF subversion and git services commented on KNOX-2375:
-------------------------------------------------------

Commit fa485e628d335f0395eebdb5a57d1304b31af874 in knox's branch refs/heads/master from Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=fa485e6 ]

KNOX-2375 - Token state eviction should access the keystore file less frequently (#337)



> Token state eviction should access the keystore file less frequently
> --------------------------------------------------------------------
>
>                 Key: KNOX-2375
>                 URL: https://issues.apache.org/jira/browse/KNOX-2375
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 1.4.0
>            Reporter: Philip Zampino
>            Assignee: Philip Zampino
>            Priority: Major
>          Time Spent: 3h
>  Remaining Estimate: 0h
>
> When the AliasBasedTokenStateService is employed, the TokenStateService reaper loads the keystore file (via the AliasService and KeyStoreService) very frequently.
>  # It queries all the token-state-related aliases
>  # For every token ID
>  ## Looks up the token again (validateToken())
>  ## Looks up the the token expiration
>  ## Removes the token expiration alias
>  ## Removes the token max lifetime alias
> This means the KeyStoreService loads the keystore file (1 + 2-to-4-per-token) times every eviction interval (default 5 minutes). That means, if there are 100 expired tokens and 100 unexpired tokens, the reaper will load the keystore file 601 times in one iteration.
> As the keystore file size increases, the already poor performance of loading this file degrades even more to the point that the token state reaper can consume 100% of the CPU.
> The reaper should operate on the in-memory token state as much as possible, and even remove expired token state in bulk (loading / writing the keystore file once for all).
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)