[GitHub] [knox] smolnar82 commented on a change in pull request #371: KNOX-2408 - Improved AliasBasedTokenState service and house-keeping

Tue, 08 Sep 2020 12:02:11 -0700 


smolnar82 commented on a change in pull request #371:
URL: https://github.com/apache/knox/pull/371#discussion_r485133225



##########
File path: 
gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultAliasService.java
##########
@@ -194,6 +195,24 @@ public void removeAliasesForCluster(String clusterName, 
Set<String> aliases) thr
     return getPasswordFromAliasForCluster(NO_CLUSTER_NAME, alias);
   }
 
+  //Overriding the default behavior as we want to avoid loading the keystore 
N-times from the file system
+  @Override

Review comment:
       I'm going to re-check and change other methods too if needed.

##########
File path: 
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/AliasService.java
##########
@@ -54,6 +54,8 @@ void generateAliasForCluster(String clusterName, String alias)
   char[] getPasswordFromAliasForGateway(String alias)
       throws AliasServiceException;
 
+  Map<String, char[]> getPasswordAliasMapForGateway() throws 
AliasServiceException;

Review comment:
       I'll change it.

##########
File path: 
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
##########
@@ -122,6 +129,44 @@ public void start() throws ServiceLifecycleException {
                                                     statePersistenceInterval,
                                                     TimeUnit.SECONDS);
     }
+
+    // Loading ALL entries from __gateway-credentials.jceks could be VERY 
time-consuming (it took a bit more than 19 minutes to load 12k aliases
+    // during my tests).
+    // Therefore, it's safer to do it in a background thread than just make 
the service start hang until it's finished
+    final ExecutorService gatewayCredentialsLoader = 
Executors.newSingleThreadExecutor(new 
BasicThreadFactory.Builder().namingPattern("GatewayCredentialsLoader").build());
+    gatewayCredentialsLoader.execute(this::loadGatewayCredentialsOnStartup);
+  }
+
+  private void loadGatewayCredentialsOnStartup() {
+    try {
+      log.loadingGatewayCredentialsOnStartup();
+      final long start = System.currentTimeMillis();
+      final Map<String, char[]> passwordAliasMap = 
aliasService.getPasswordAliasMapForGateway();
+      String alias, tokenId;
+      long expiration, maxLifeTime;
+      int count = 0;
+      for (Map.Entry<String, char[]> passwordAliasMapEntry : 
passwordAliasMap.entrySet()) {
+        alias = passwordAliasMapEntry.getKey();
+        if (alias.endsWith(TOKEN_MAX_LIFETIME_POSTFIX)) {

Review comment:
       Sure; I'll add documentation.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to