fix(ldap) cache key to work when plugin is configured globally

[bungle]

Summary

Changes the way how LDAP cache key in constructed. Previously it didn't share cache with similarly configured LDAP plugins. And more importantly, it was broken when configured as a global plugin (that was reported with #3335)

Full changelog

• Implement cache key based on plugin configuration

Issues resolved

Fix #3335

[StephenLord]

I will give it a go, may take a day or so to get there, my kong deployments are currently done by pulling a docker image, so I need to work out how to drop this into my setup.

[Tieske]

this is calculated on every request. We better cache the calculated key.

[bungle]

Not sure, the calculation is not very intensive. Maybe caching is even slower than calculating MD5 out of small string? Not sure if it is worth considering added complexity?

[Tieske]

if you leave the username out of the hash, you can create the entire key and store it in a weak table. That would be a single table lookup, followed by the username concatenation.

[Tieske]

maybe also add a test that reproduces the original problem?

[Tieske]

I like the hash solution for other plugin instances using the same ldap backend. More performant and less resources. 👍

[Tieske]

pinging @shashiranjan84 since he did the original work on this.

@bungle maybe add a small comment in the schema.lua file that if any properties are added/removed/updated, that the hash creation might need to be updated.

[shashiranjan84]

Is this name intentional acl_cache_key, not a big deal though?

[Tieske]

oops... how did I miss that... good catch

[bungle]

I copied that name from unit tests. I can rename both.

[thibaultcha]

It is a lot more efficient to follow the approach taken by dao:cache_key() rather than paying the cost of 2 short-lived tables, the double concatenation operation, and the md5 hash. Any reason for now using a simple string.format instead? Combined with @Tieske's comment about caching the cache key prefix (that of the plugin configuration), and simply use the username as the dynamic component?

[bungle]

Sure, I will change that. A lot more in this case might be a few microseconds, but of course better to do it like that. Not sure though, should we use something else than MD5. Maybe requiring lua-resty-string and using SHA256 instead. Maybe not worth it, when I remove username from the hash.

[thibaultcha]

Well, as always, it isn't about making that particular piece of the code run a few microseconds faster, but rather prevent the spreading of anti-patterns and ensure that overall, the proxy still performs relatively well in hot code paths. To avoid accumulating performance penalties when they can be avoided. It is a continuous effort.
In this case if we cache the key and only rotate the username part, we can get away with the current approach, sure.

I'm not sure why the hashing is required though?

[Tieske]

I think the resulting string is a lot smaller?

[thibaultcha]

That's the only benefit I am seeing as well (in which case md5 should be just fine?)

[bungle]

A key without hashing:

ldap_auth_cache:ec2-54-172-82-117.compute-1.amazonaws.com:389:ou=scientists,dc=ldap,dc=mashape,dc=com:uid:2:einstein

A key with hashing:

ldap_auth_cache:aec022a3d1d6590c4432b4bc65433e2e:einstein

[bungle]

@Tieske, @thibaultcha, @shashiranjan84,

Ok, I tried to fix all your concerns. Let me know what you think about it now.

[thibaultcha]

The CI build seems to consistently error on the following step:

spec-old-api/03-plugins/21-ldap-auth/01-access_spec.lua @ 326: Plugin: ldap-auth (access) caches LDAP Auth Credential

I restarted both builds to make sure that this wasn't a flaky setup.

[Tieske]

we should remove case sensitivity from the cache-key for those elements that are not case sensitive (eg. hostname, haven't looked into the ldap specifc ones).

[bungle]

LDAP specific ones are usually case-insensitive, but you may possibly configure them to be case-sensitive.

[Tieske]

then the safe way would be to keep them case-sensitive, so that only leaves the hostname to update.

[bungle]

http://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity

(I don't have a courage to make other than host case-insensitive, EVEN though in most sane cases they all are case-insensitive, including the username).

[Tieske]

aren't the host and port properties only used to connect to the ldap server?

[Tieske]

@thibaultcha somewhat related to this, in the light of plugin-api spec, we could consider dropping the weak table pattern and use the config table instead.

• currently the config table is considered read-only, hence we use the table as a key in a weak table to cache intermediary results.

we could define it as:

• the plugin is the owner of the config table. Allowing the plugin to update the table.
• Kongs responsibility will only be to fetch the plugin configuration and take care of invalidation and caching
• Any changes made to the table will never be persisted, and are local to a worker process
• The lifetime of the table may differ from the worker process based on lru or similar cache evictions

we might even consider to add a initialize_config() method to the plugins to create the intermediary updates right after fetching it, and forego on any runtime checks.

None of this for this PR though.

[bungle]

@Tieske, yes I was looking forward for that, but couldn't find a place currently to do that. Your other comments are good (case insensitivity), also I need to check that erroring test.