[resending] On Tue, Sep 6, 2016 at 9:26 PM, Prabath Siriwardana <[email protected]> wrote:
> We would need to get rid of username/password based validation for system > to system admin service calls. As you said its costly and also we need to > share the credentials. > > Can we use mutual auth for that instead...? > > Thanks & regards, > -Prabath > > On Tue, Sep 6, 2016 at 9:22 PM, Nuwan Dias <[email protected]> wrote: > >> Having sticky sessions between Gateway and Key Manager is not mandatory. >> Having sticky sessions will only provide you a gain in performance and will >> not have any functional impact otherwise without it. >> >> *Why?* >> >> How this works is the Gateway logs into a Key Manager and obtains a >> cookie. This cookie is used in all subsequent calls from the Gateway to Key >> Manager. The basic auth (admin) credentials are also passed in each >> request. The Key Manager will first try to validate the cookie and if that >> fails it will fall-back and authenticate the user based on the basic auth >> credentials and issue a new cookie. Having sticky sessions will ensure that >> the cookie validation will only fail when the session times out. If sticky >> sessions aren't setup there will be cases the cookie validation will fail >> and hence the Key Manager will have to perform the additional step of >> authenticating the credentials in the basic auth header. >> >> Thanks, >> NuwanD. >> >> On Wed, Sep 7, 2016 at 2:34 AM, Shammi Jayasinghe <[email protected]> >> wrote: >> >>> Hi, >>> >>> WSO2 always asks to enable sticky sessions in a distributed setup which >>> has multiple key manager nodes. According to my understanding, We needs to >>> have this since there are multiple calls going back and forth between >>> Gateway and the Key manager node when it comes to do key generation and >>> other token related stuff. >>> >>> Having sticky sessions always needs to be enabled always, Introduces >>> another problem when balancing the load as in following example. >>> >>> Eg: We have 5 GW servers in a cluster. There are 1000 users using this >>> system. We declare 1 GW server can handle 1000 TPS as max. So, the total >>> Max Capacity of the system, We say as 5000 TPS. >>> >>> In a particular time, There are 5 users generating traffic like 800 TPS >>> and other 995 users generates only 1 TPS. So, as the total it is under the >>> Max capacity, >>> >>> 800 x 5 + 995 = 4995 >>> >>> But, with the Sticky sessions, if these 5 top users made the initial >>> session with a single GW node, the load to that server will be 4000 TPS >>> which exhausting the resources. >>> >>> So, Having Sticky sessions is introducing a problem with load balancing. >>> >>> Is there any possibility to avoid this sticky session requirement by >>> introducing a way to do token related operations in a single call from GW >>> to KM ? >>> >>> >>> Thanks >>> shammi >>> >>> -- >>> Best Regards, >>> >>> * Shammi Jayasinghe* >>> >>> >>> *Technical Lead* >>> *WSO2, Inc.* >>> *+1-812-391-7730 <%2B1-812-391-7730>* >>> *+1-812-327-3505 <%2B1-812-327-3505>* >>> >>> *http://shammijayasinghe.blogspot.com >>> <http://shammijayasinghe.blogspot.com>* >>> >>> >> >> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
