Philip Zampino created KNOX-2375:
------------------------------------
Summary: Token state eviction should access the keystore file less
frequently
Key: KNOX-2375
URL: https://issues.apache.org/jira/browse/KNOX-2375
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 1.4.0
Reporter: Philip Zampino
Assignee: Philip Zampino
When the AliasBasedTokenStateService is employed, the TokenStateService reaper
loads the keystore file (via the AliasService and KeyStoreService) very
frequently.
# It queries all the token-state-related aliases
# For every token ID
## Looks up the token again (validateToken())
## Looks up the the token expiration
## Removes the token expiration alias
## Removes the token max lifetime alias
This means the KeyStoreService loads the keystore file (1 + 2-to-4-per-token)
times every eviction interval (default 5 minutes). That means, if there are 100
expired tokens and 100 unexpired tokens, the reaper will load the keystore file
601 times in one iteration.
As the keystore file size increases, the already poor performance of loading
this file degrades even more to the point that the token state reaper can
consume 100% of the CPU.
The reaper should operate on the in-memory token state as much as possible, and
even remove expired token state in bulk (loading / writing the keystore file
once for all).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
