perf(auth/ldap): Limit search object size (#747)

Currently when fiat sync LDAP roles with the new Group -> User mapping the response is huge, as mentioned in the original commit. To workaround this issue this change adds the wanted attributes to the search, making the search only return those attributes. To be able to use "attributes to return" feature we also have to set a search scope. Using the default scope of SUBTREE_SCOPE caused errors on my test setup, and changing to OBJECT_SCOPE solved those issues. Unit tests however still pass in both cases. The delimiter for the GroupUserAttributes is configurable, but will default to space, as it's the default for ldapsearch. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
spinnaker · Sep 8, 2020 · bdb09ab · bdb09ab
1 parent ca87f8b
commit bdb09ab
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/config/LdapConfig.java b/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/config/LdapConfig.java
@@ -58,6 +58,7 @@ public static class ConfigProps {
     String groupSearchFilter = "(uniqueMember={0})";
     String groupRoleAttributes = "cn";
     String groupUserAttributes = "";
+    String groupUserAttributesDelimiter = " ";
 
     int thresholdToUseGroupMembership = 100;
   }

diff --git a/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.java b/fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.java
@@ -29,6 +29,7 @@
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
+import javax.naming.directory.SearchControls;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
@@ -135,6 +136,10 @@ public Map<String, Collection<Role>> multiLoadRoles(Collection<ExternalUser> use
                   configProps.getGroupSearchFilter(),
                   "*",
                   "*"), // Passing two wildcard params like loadRoles
+              SearchControls.OBJECT_SCOPE, // Limit the scope to single object
+              configProps
+                  .getGroupUserAttributes()
+                  .split(configProps.getGroupUserAttributesDelimiter()),
               new UserGroupMapper())
           .stream()
           .flatMap(List::stream)