Skip to content

Improve trusted cert loading in Certificate Auth#27902

Merged
sgmiller merged 7 commits intomainfrom
sgm/improve-cert-trust-loading
Jul 29, 2024
Merged

Improve trusted cert loading in Certificate Auth#27902
sgmiller merged 7 commits intomainfrom
sgm/improve-cert-trust-loading

Conversation

@sgmiller
Copy link
Copy Markdown
Collaborator

@sgmiller sgmiller commented Jul 29, 2024
edited
Loading

Currently, cert auth has a cache of certName->trusted certificate data. This cache is updated lazily on login. In highly concurrent situations, several logins of the same cert or more likely, logins not specifying role name may happen simulataneously. In the status quo, each results in going to storage, fetching the role data (or all roles!), unmarshalling, and certificate parsing.

This change puts a lock matrix in front of the cache miss scenario, so only one of the logins will load and process the role data. In addition, we treat the absent role name specially, caching it separately so that it cannot be flushed by eviction on the role cache.

@sgmiller
Improve trusted cert loading in Certificate Auth
ac1bbb7 
Currently, cert auth has a cache of certName->trusted certificate data.  This cache is updated lazily on login.  In highly concurrent situations, several logins
of the same cert or more likely, logins not specifying role name may happen simulataneously.  In the status quo, each results in going to storage, fetching the role data
(or all roles!), unmarshalling, and certificate parsing.

This change puts a lock matrix in front of the cache miss scenario, so only one of the logins will load and process the role data.  In addition, we treat
the absent role name specially, caching it separately so that it cannot be flushed by eviction on the role cache.
@sgmiller sgmiller requested a review from a team as a code owner July 29, 2024 19:08
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 29, 2024
@sgmiller sgmiller modified the milestones: 1.16.7, 1.17.3, 1.18.0-rc Jul 29, 2024
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jul 29, 2024
edited
Loading

CI Results:
All Go tests succeeded! ✅

@github-actions
Copy link
Copy Markdown

github-actions bot commented Jul 29, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

@sgmiller sgmiller enabled auto-merge (squash) July 29, 2024 19:41
stevendpclark
stevendpclark reviewed Jul 29, 2024
View reviewed changes
stevendpclark
stevendpclark reviewed Jul 29, 2024
View reviewed changes
builtin/credential/cert/path_login.go
lock := locksutil.LockForKey(b.trustedCacheLocks, certName)
lock.Lock()
defer lock.Unlock()

Copy link
Copy Markdown
Contributor

@stevendpclark stevendpclark Jul 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To avoid re-doing the work, shouldn't we check to make sure that b.trustedCache.Get(certName) keep doing the work only if nil, otherwise leverage the newly populated cache while we were locked?

Copy link
Copy Markdown
Collaborator Author

@sgmiller sgmiller Jul 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You only get to this point after a cache test in getTrustedCerts, so yeah, there is a tiny race here where it could have been filled in prior to getting the lock. Worth another test?

Copy link
Copy Markdown
Contributor

@stevendpclark stevendpclark Jul 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well the point of the lock was to avoid different clients from re-populating the cache? All this will do is actually make it worse by serializing all the requests but they will still re-populate the cache no?

Copy link
Copy Markdown
Collaborator Author

@sgmiller sgmiller Jul 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doh! You're right. I should take an RLock in the read case. And sure, I'll do a re-test.

@sgmiller sgmiller requested a review from stevendpclark July 29, 2024 20:55
stevendpclark
stevendpclark approved these changes Jul 29, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@sgmiller sgmiller merged commit d75aee2 into main Jul 29, 2024
@sgmiller sgmiller deleted the sgm/improve-cert-trust-loading branch July 29, 2024 21:16
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

Assignees

No one assigned

Labels

hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed

Projects

None yet

Milestone

1.18.0-rc

Development

Successfully merging this pull request may close these issues.

2 participants

@sgmiller @stevendpclark