[jira] [Commented] (OAK-6818) TokenAuthentication/TokenProviderImpl: cleanup expired tokens

Wed, 15 Nov 2017 05:55:37 -0800 

    [ 
https://issues.apache.org/jira/browse/OAK-6818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16253473#comment-16253473
 ] 

Alex Deparvu commented on OAK-6818:
-----------------------------------

[~anchela] I added a benchmark to the existing patch. see WIP branch here [0].

Benchmark results (1k users, no concurrency):
{noformat}
(threshold = -1, this should be the baseline)
Apache Jackrabbit Oak
# LoginWithTokensTest              C     min     10%     50%     90%     max    
   N 
Oak-MemoryNS                       1       2       3       4       6      15   
13901
Oak-Segment-Tar                    1       1       1       2       2     152   
29909

(threshold = 1, worst case, cleanup happens after each commit)
# LoginWithTokensTest              C     min     10%     50%     90%     max    
   N 
Oak-MemoryNS                       1       2       3       4       6      18   
13449
Oak-Segment-Tar                    1       1       2       2       3     213   
26970

(threshold = 100)
# LoginWithTokensTest              C     min     10%     50%     90%     max    
   N 
Oak-MemoryNS                       1       2       3       4       6      12   
14084
Oak-Segment-Tar                    1       1       2       2       3     156   
27405
{noformat}


[0] https://github.com/apache/jackrabbit-oak/compare/trunk...stillalex:oak-6818

> TokenAuthentication/TokenProviderImpl: cleanup expired tokens
> -------------------------------------------------------------
>
>                 Key: OAK-6818
>                 URL: https://issues.apache.org/jira/browse/OAK-6818
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>             Fix For: 1.8
>
>         Attachments: OAK-6818-osgi-test.patch, OAK-6818.patch
>
>
> During token based authentication a given token node gets removed if it is 
> found to have expired in the mean time:
> Extract from {{TokenAuthentication.validateCredentials(TokenCredentials)}} as 
> it works today:
> {code}
>        [...]
>         if (tokenInfo.isExpired(loginTime)) {
>             tokenInfo.remove();
>             return false;
>         }
>        [...]
> {code}
> However, this doesn't cope with those cases where expired tokens are being 
> left behind without ever being caught by cleanup (e.g. new token issued and 
> never try to login with expired token). So, this issue is about an extension 
> that would allow to somehow/somewhen cleanup those tokens during 
> authentication. In order not to cause extra overhead to the login we should 
> set a limit (e.g. number of token nodes) that would only trigger the cleanup 
> every now and then and not doing it all the time.
> What also needs to be clarified/investigated: would cleanup only be triggered 
> in case of a failure?
> cc: [~stillalex], [~tmueller], [~chetanm], [~asanso]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to