Project

General

Profile

Bug #7203

Improve D1NodeService.isAuthorized() performance

Added by Chris Jones over 2 years ago. Updated over 2 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
metacat
Target version:
Start date:
07/22/2017
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:

Description

We're seeing poor performance in calls to D1NodeService.isAuthorized() on https://arcticdata.io. When the system Metacat is under light load (< 10 requests per second), calls to isAuthorized() are taking up to 35 seconds to return either an HTTP 200 response or a HTTP 403 exception.

Change isAuthorized() to prioritize user-based authorization first, and then CN or MN authorization last. This should increase performance for end users, whereas MN to MN replication calls and CN-administrative calls will be slightly less prioritized.

Note that calls to userHasPermission() involve token verification using the PortalCertificateManager and the TokenGenerator. These calls may be repeatedly making a call to the CN to get the SSL certificate for verification if it is not cached. If this change doesn't significantly improve performance, look into refactoring those classes in d1_portal to cache and use the certificate, unless there is a verification exception, in which case we make the call to fetchCertificate() again, re-cache it, and attempt to re-verify the token. If it still fails, throw NotAuthorized.

History

#1 Updated by Chris Jones over 2 years ago

I've re-ordered the authorization in isAuthorized(). Needs testing, and merging into the 2.8.x branch.

#2 Updated by Chris Jones over 2 years ago

  • Subject changed from Improve D!NodeService.isAuthorized() performance to Improve D1NodeService.isAuthorized() performance

Also available in: Atom PDF