Improve threadpool usage and error handling for API key validation #58090
Conversation
Also return 429 when either GET or the hashing thread pool is saturated.
ywangd
added
>enhancement
:Security/Authentication
|
Pinging @elastic/es-security (:Security/Authentication) |
|
Just realised that shunting everything after GetDoc call (mainly So I made changes to only push |
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
Agreed, I don't see any obvious benefit for this or solving any actual problem we have right now, but I can see a clear negative impact on token based authentication which we should avoid. As discussed in slack, I'm not particularly worried about multiple |
There was a problem hiding this comment.
Overall this looks good!
I have raised two topics for discussion:
- I have a suggestion about what I believe is a better place for handling EsRejectedExecutionException
- I think it's better to enqueue only expensive hashing on the new thread pool, and not all (most) API verifications.
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
| new FixedExecutorBuilder(settings, TokenService.THREAD_POOL_NAME, 1, 1000, | ||
| "xpack.security.authc.token.thread_pool", false), | ||
| new FixedExecutorBuilder(settings, ApiKeyService.THREAD_POOL_NAME, | ||
| (allocatedProcessors + 1) / 2, 1000, |
There was a problem hiding this comment.
Note by using half of the allocated processors, initial authentiation of API keys, i.e. warming up the cache, could be up to twice as slow as current implemention.
There was a problem hiding this comment.
The maximum theoretical throughput of new (previously unseen) API key validations will indeed halve, but I'm not personally worried about it. We're talking about the theoretical maximum throughput which, because of the contention on the get threadpool, and because there are many thread pools overbooking the available processors, it's not something I would consider practically important.
Yet, a possible mitigation would be to decrease (halve) the default hashing cost factor for API Keys. GIven the length of the random api key secret that we generate, we would still remain out of the brute force plausibility range.
There was a problem hiding this comment.
That's quite a large number of new threads to be adding to the system, especially threads that could end up all being busy at once for a long time authenticating a lot of clients. They're then stealing CPU time from other components of the system. What work have we done to justify that the thread pool needs to be this large (the ceiling of half the number of cores)?
There was a problem hiding this comment.
A few reasons:
- It has fewer threads than the
GETthread pool - the current code performs the hashing in theGETthread pool, which has number of threads equals to number of cores. The new thread pool should in fact help with resource stealing. Besides, saturation of GET thread pool has wider negative impacts to both uncached and cached authentication. A new pool helps isolate the impact to only new clients trying to connect. - Balance between throughput and resource contention - the expensive hashing operations are unavoidable. Performance tests show about 5000 authentications per minute (8 cores). With half of the threads, the number will be halved as well. Assuming a 25K clients (50K keys) use case, it will take 20 min for all keys to be cached. Reducing the number of threads too much would push the warm up time even higher. Therefore using half number of the cores feels like a reasonable middle ground.
- Hashing in the
genericthread pool (which uses all cores) does not have obvious performance hit - I tried simply pushing the hashing to thegenericthread pool, which then used all cores for the hashing. I didn't observe any obivious performance issue with it. In fact, the initial warm up stage is smoother and has a better throughput than using theGETthread pool. Therefore it feels that using half of the cores should be relatively safe and also performant. I do plan to run a few more rounds of performance tests after all scheduledv7.9API key improvements. So we can be confident on this. - The new thread pool will be shared by all security related expensive operations - currently its only usage is for hashing of API key auth, so it is not a very good reason. But it could soon see another use case: the API key creation also requires expensive hashing which currently runs in the
transport_workerthread. I need to do some more investigation, but the result is very likely that we need move it to this new thread pool as well.
There was a problem hiding this comment.
My thoughts for approving the PR were that we operate under some desired rough approximation for the rate of authentication using keys (what Yang is describing on the second point above) and so by switching to a new pool (given that the get operation is so much faster than the hash, and that the new pool is smaller than the get pool) all the threads in the new pool will be busy at peak rate, so that we can estimate that peak rate (assuming a relatively tranquil system where the pool threads stay running). The original peak rate (using the get pool) was noisy because any get requests in the system interfered with it (in addition to the obvious flip side that authn hashing interfered with get requests in the system).
When the system is busy and all threads are working at the pool queues and no queue is empty, it all boils down to the processors' queue. In a sense all thread pool queues "merge" into processor queues, with the priority given by the relative number of threads ascribed to each pool. So introducing a new pool will decrease the throughput of existing pools, proportionate to relative sizes, in exchange of a guaranteed minimum throughput on the new pool ,because the new queue is not populated with any other types of work (compared to reusing an existing pool that contains other work types).
To summarise, I would generally introduce a thread pool when I want more control over the rate of some work (both the minimum and the maximum rate).
That's my thought process about thread pool queues upon which I've approved the PR. I believe a new thread pool is the right decision, but I concede that we've informed the sizing decision on rough external authn rates without also consulting with folks that tune the existing thread pools.
There was a problem hiding this comment.
Okay, thanks for the great explanations to help me understand the perspective here. One more question: is it enough to have a simple "security" thread pool? Do we need a token and a crypto thread pool and maybe another thread pool for other security aspects in the future?
There was a problem hiding this comment.
TL;DR: We are not considering another thread pool for other security aspects.
Our intention for the new thread pool is to focus on "cpu-intensive" security computations, namely hashing and encryption, especially in the scope of authentication. Given their expensiveness and importance, we'd like to control their impact both ways: they should not take over all system resources but in the mean time should maintain a reasonable level of throughput. We use following criteria to justify whether an operation should be added to this pool:
- Is it expensive? The standard here is somewhat subjective. Based on performance tests, I personally would eye on anything longer than 1 ms.
- Is it authentication/authorization related? We'd like to prioritize these operations since they usually need to complete in a timely manner.
- Does it need to scale? i.e. potential burst in volume? When there is a large increase in concurrency, we'd like to protect the system from being completely flooded.
With above criteria, we can come up with the followings:
- Hashing for uncached results are great candidates. These include API Key auth (current PR, v7.9), API Key creation (v7.9?), tokens, username/password (planned, v7.10)
- Signing and cryption for SAML assertions and odic claims are potential candidates (pending further performance check)
- Hashing for cached result is not qualified for the new thread pool since it is fast (sha256, ~3 microseconds).
- Manipulations of security documents are not qualified either
- Encrypted snapshot, though potentially expensive, is not auth related and unlikely needs to scale. Hence it is also not qualified.
- An interesting case is read/write of the security index. When the index is not on the local node, these operations can be expensive (above 1 ms) and it also matches the two other criteria. However the system indices work (System index reads in separate threadpool #57936) is supposed to cover it. Hence we are not considering it either.
- Any other security aspects that are not qualified
Now the question is: whether above unqualified security operations worth to have their own separate thread pool?
When security is enabled, security related operations are ubiquitous, e.g. every request needs to go through authentication and authorization flow. Currently our general practice is to "just let them run in the same thread", which could be get, transport_worker etc. This strategy has served us reasonally well so far. But with the upcoming change to expose the service to unprecedented large number of clients, we started noticing some issues revealed by the performance tests, which in turn leads to this PR and a few other work in the pipeline. At this stage, based on what we know, we still believe the existing strategy works fine for security operations that are not qualified for the new thread pool. Hence we do not plan to add another one.
For the sake of completeness, there are exceptions to the existing strategy. Outbound LDAP calls are submitted via the generic pool to avoid risks of deadlocking if they are submitted via the same pool used by the outbound requests. There is no sign for this being an issue so far. We had brief discussion about it and decided to evaluate it more closely at a later time.
...plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
Outdated
Show resolved
Hide resolved
| new FixedExecutorBuilder(settings, TokenService.THREAD_POOL_NAME, 1, 1000, | ||
| "xpack.security.authc.token.thread_pool", false), | ||
| new FixedExecutorBuilder(settings, ApiKeyService.THREAD_POOL_NAME, | ||
| (allocatedProcessors + 1) / 2, 1000, |
There was a problem hiding this comment.
The maximum theoretical throughput of new (previously unseen) API key validations will indeed halve, but I'm not personally worried about it. We're talking about the theoretical maximum throughput which, because of the contention on the get threadpool, and because there are many thread pools overbooking the available processors, it's not something I would consider practically important.
Yet, a possible mitigation would be to decrease (halve) the default hashing cost factor for API Keys. GIven the length of the random api key secret that we generate, we would still remain out of the brute force plausibility range.
|
Was any consideration given to having a single thread pool for hashing/expensive operations within security? |
I thought about it but didn't have an open discussion within the team. My concern was the initial authentication would be too slow, but this could also be a bias that I got from doing performance tests where initial warming up is evident. It might not be as a big concern for real use cases? Do you have an argument in favor of it? |
In general, we have been very judicious with adding additional thread pools. This PR targets API keys but we also have similar issues with native users since we use a get request and then validate on the get thread pool there as well. Some hash verification can also occur on network threads in the case of the file realm. The reserved realm also will perform the hash verification on a network thread or thread from the get thread pool depending on the state of the security index. These operations are designed to take time so if we were going to introduce a new thread pool, I think it would be wise to use a single thread pool to move these expensive operations out of the other pools and limit the amount of CPU that could be scheduled to service these operations. |
| return List.of( | ||
| new FixedExecutorBuilder(settings, TokenService.THREAD_POOL_NAME, 1, 1000, | ||
| "xpack.security.authc.token.thread_pool", false), | ||
| new FixedExecutorBuilder(settings, ApiKeyService.THREAD_POOL_NAME, |
There was a problem hiding this comment.
I think we should name this thread pool in a more generic way to reflect the intent that it be used for all password hashing.
Something like security-password-hash feels better to me than security-api-key
There was a problem hiding this comment.
As discussed, renamed it to security-crypto.
I recall having exactly that conversation and thought that we agreed to move in that direction (not in this PR, but as a followup). |
Sorry @jaymode I mis-read your message. I thought you were asking for a single thread thread pool .... Tim is right. We have discussed this and agreed that we will consolidate security related expensive operations into a single pool. |
...k/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyIntegTests.java
Outdated
Show resolved
Hide resolved
...k/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyIntegTests.java
Show resolved
Hide resolved
Co-authored-by: Tim Vernum <tim@adjective.org>
…lastic#58090) The PR introduces following two changes: Move API key validation into a new separate threadpool. The new threadpool is created separately with half of the available processors and 1000 in queue size. We could combine it with the existing TokenService's threadpool. Technically it is straightforward, but I am not sure whether it could be a rushed optimization since I am not clear about potential impact on the token service. On threadpoool saturation, it now fails with EsRejectedExecutionException which in turns gives back a 429, instead of 401 status code to users.
A small follow up for #58090 to correct the settings prefix
…58090) (#59047) The PR introduces following two changes: Move API key validation into a new separate threadpool. The new threadpool is created separately with half of the available processors and 1000 in queue size. We could combine it with the existing TokenService's threadpool. Technically it is straightforward, but I am not sure whether it could be a rushed optimization since I am not clear about potential impact on the token service. On threadpoool saturation, it now fails with EsRejectedExecutionException which in turns gives back a 429, instead of 401 status code to users.
The changes in #74106 make API keys cached on creation time. It helps avoid the expensive hashing operation on initial authentication when a request using the key hits the same node that creates the key. Since the more expensive hashing on authentication time is handled by a dedicated "crypto" thread pool (#58090), it is expected that usage of the "crypto" thread pool to be reduced. This PR moves the hashing on creation time to the "crypto" thread pool so that a similar (before #74106) usage level of "crypto" thread pool is maintained. It also has the benefit to avoid costly operations in the transport_worker thread, which is generally preferred. Relates: #74106
The changes in elastic#74106 make API keys cached on creation time. It helps avoid the expensive hashing operation on initial authentication when a request using the key hits the same node that creates the key. Since the more expensive hashing on authentication time is handled by a dedicated "crypto" thread pool (elastic#58090), it is expected that usage of the "crypto" thread pool to be reduced. This PR moves the hashing on creation time to the "crypto" thread pool so that a similar (before elastic#74106) usage level of "crypto" thread pool is maintained. It also has the benefit to avoid costly operations in the transport_worker thread, which is generally preferred. Relates: elastic#74106
The changes in #74106 make API keys cached on creation time. It helps avoid the expensive hashing operation on initial authentication when a request using the key hits the same node that creates the key. Since the more expensive hashing on authentication time is handled by a dedicated "crypto" thread pool (#58090), it is expected that usage of the "crypto" thread pool to be reduced. This PR moves the hashing on creation time to the "crypto" thread pool so that a similar (before #74106) usage level of "crypto" thread pool is maintained. It also has the benefit to avoid costly operations in the transport_worker thread, which is generally preferred. Relates: #74106
The PR introduces following two changes:
The new threadpool is created separately with half of the available processors and 1000 in queue size. We could combine it with the existing TokenService's threadpool. Technically it is straightforward, but I am not sure whether it could be a rushed optimization since I am not clear about potential impact on the token service.
On threadpoool saturation, it now fails with
EsRejectedExecutionExceptionwhich in turns gives back a429status code to users.Note this is also a subtle behaviour change: Previously any failures during API key validation are translated into "unsuccessful but continue to realm authentication". After the change, threadpool saturation error is translated into "unsuccessful and terminate authentication". The difference will manifest iteself when user sends in two set of credentials, e.g. one for API key and one for basic auth. Before the change, authentication will continue with the basic auth and if it is valid, authentication will end up as successful. After the change, the authentication stops at API key when pool is saturated and does not proceed further. When threadpool is saturated, it is highly likely that users do want the API key authentication (otherwise the pool will not be saturated in the first place). Hence I doubt any user would really depend on the existing behaviour.(edit: this is not a concern since the code does not allow multiple Authorization headers. Thanks @jkakavas)Resolves: #58088