Github user rhtyd commented on the pull request: https://github.com/apache/cloudstack/pull/1489#issuecomment-214212648 @koushik-das this is part of the feature to be able to check access based on rules in DB and be consistent across all mgmt servers. In my local environment with stock (un-optimized) mysql server, I can do a max of 12.8k req/s benchmarked against wrk ``` $ wrk -t16 -c1000 -d30s "http://localhost:8080/client/api?command=listUsers" [14:08:08] Running 30s test @ http://localhost:8080/client/api?command=listUsers 16 threads and 1000 connections Thread Stats Avg Stdev Max +/- Stdev Latency 78.35ms 64.44ms 1.52s 93.98% Req/Sec 810.93 171.75 1.98k 77.53% 387964 requests in 30.09s, 147.26MB read Socket errors: connect 0, read 0, write 0, timeout 2 Non-2xx or 3xx responses: 387964 Requests/sec: 12893.98 Transfer/sec: 4.89MB ``` And with another query, where dynamic checker is forced to fail doing all sorts of db queries, it resulted about 700 req/s. ``` $ wrk -t16 -c1000 -d30s "http://localhost:8096/client/api?signatureversion=3&apiKey=&expires=2016-04-25T08%3A50%3A19%2B0000&command=listUsers&signature=fmgUHUhRdCYf%2BoPHgcTVqzx0am4%3D&response=json&listall=true" Running 30s test @ http://localhost:8096/client/api?signatureversion=3&apiKey=&expires=2016-04-25T08%3A50%3A19%2B0000&command=listUsers&signature=fmgUHUhRdCYf%2BoPHgcTVqzx0am4%3D&response=json&listall=true 16 threads and 1000 connections Thread Stats Avg Stdev Max +/- Stdev Latency 1.32s 197.24ms 1.79s 90.25% Req/Sec 72.78 91.71 570.00 89.25% 21252 requests in 30.09s, 31.43MB read Socket errors: connect 0, read 0, write 0, timeout 18 Requests/sec: 706.17 Transfer/sec: 1.04MB ``` @koushik-das we've db schema for consistency, we read data from commands.properties and write them to a db table. We've a test_staticroles.py too, that can do pre-upgrade integration testing and post-upgrade we've test_dynamicroles.py. Lastly, it is intended to make reverse-migration difficult to avoid inconsistent and unknown security behavior, read FS for details. If you simply turn off the restricted global setting (from true to false), it will disable both dynamic and static checker. One constraint for this to enable is that a flag in db is enabled and commands.properties file does not exist or readable from its classpath. Also, since commands.properties is removed even if you switch the flags you'll need to create this file, put in client/tomcatconf (as developer) and restart mgmt server as unlike dynamic-checker, the static checker initializes only at boot time and not runtime.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---