New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache empty auth results to reduce db load #4104
Conversation
[PG3:2985 ok] |
Codecov Report
@@ Coverage Diff @@
## master #4104 +/- ##
=========================================
- Coverage 84.57% 81.07% -3.5%
=========================================
Files 148 148
Lines 7110 7118 +8
Branches 431 423 -8
=========================================
- Hits 6013 5771 -242
- Misses 1097 1347 +250
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good one, that's indeed an attack vector against the database.
LGTM!
Agree. Is 5 minutes too high? |
Caching such negative lookups may be abused to put lots of of entries in cache and put pressure on heap (causing eviction of valid entries) given our caches are not bounded by size. May be use a separate bounded cache for such entries. |
@chetanmeh the cache is "bounded" as in its entries are garbage collectable. |
@markusthoemmes All caches are currently configured with If we use a bounded cache in terms of entry count then only identity cache would be impacted but other caches would not get impacted. |
I have now limited the auth cache hard to 100000 entries. Worth to be configurable ? |
...ala/src/main/scala/org/apache/openwhisk/core/database/MultipleReadersSingleWriterCache.scala
Outdated
Show resolved
Hide resolved
@mhenke1 Should be fine to leave it specified in code for now |
Co-Authored-By: mhenke1 <martin.henke@web.de>
[PG 2:3878 ok] |
@chetanmeh I have changed the code as suggested |
@rabbah @markusthoemmes can you review cache changes once |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
cache empty results to avoid performance hits by calling webactions repeatedly. Also configure a fixed size for identity cache to ensure it does not grow unbounded with too many negative entries. * limit size of auth cache * Simplify logic to create the cache Co-Authored-By: mhenke1 <martin.henke@web.de>
Cache negative auth responses to avoid going to the DB with every identical call
Description
Since negative auth responses (Identity.get) are not cached,
all requests with a non existing namespace or an invalid authkey will perform queries to the subject db.
A user can influence OW performance by issuing a high number of those calls.
ThIs PR changes that behavior in the way, that negative auth results are cached as None value.
Subsequent Identical calls will only use the cache (for the 5 minutes cache period).
The external interface and behavior of the Identity.get methods stays unchanged.
Related issue and scope
My changes affect the following components
Types of changes
Checklist: