[
https://issues.apache.org/jira/browse/KNOX-2375?focusedWorklogId=441002&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-441002
]
ASF GitHub Bot logged work on KNOX-2375:
----------------------------------------
Author: ASF GitHub Bot
Created on: 03/Jun/20 22:02
Start Date: 03/Jun/20 22:02
Worklog Time Spent: 10m
Work Description: smolnar82 commented on a change in pull request #337:
URL: https://github.com/apache/knox/pull/337#discussion_r434880140
##########
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java
##########
@@ -177,11 +192,7 @@ public JWT issueToken(Principal p, List<String> audiences,
String algorithm, lon
}
private char[] getSigningKeyPassphrase(char[] signingKeyPassphrase) throws
AliasServiceException {
Review comment:
No longer throws `AliasServiceException`
##########
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java
##########
@@ -135,6 +138,25 @@ public JWT issueToken(Principal p, List<String> audiences,
String algorithm, lon
return issueToken(p, audiences, algorithm, expires, null, null, null);
}
+ private RSAPrivateKey getSigningKey(final String signingKeystoreName,
+ final String signingKeystoreAlias,
+ final char[] signingKeystorePassphrase)
+ throws KeystoreServiceException, TokenServiceException {
+
+ if (signingKeystorePassphrase != null) {
+ char[] passphrase;
+ try {
+ passphrase = getSigningKeyPassphrase(signingKeystorePassphrase);
+ } catch (AliasServiceException e) {
+ throw new TokenServiceException(e);
+ }
Review comment:
Since `getSigningKeyPassphrase` no longer throws `AliasServiceException
` -> the try/catch block is unnecesarry.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 441002)
Time Spent: 2h 40m (was: 2.5h)
> Token state eviction should access the keystore file less frequently
> --------------------------------------------------------------------
>
> Key: KNOX-2375
> URL: https://issues.apache.org/jira/browse/KNOX-2375
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> When the AliasBasedTokenStateService is employed, the TokenStateService
> reaper loads the keystore file (via the AliasService and KeyStoreService)
> very frequently.
> # It queries all the token-state-related aliases
> # For every token ID
> ## Looks up the token again (validateToken())
> ## Looks up the the token expiration
> ## Removes the token expiration alias
> ## Removes the token max lifetime alias
> This means the KeyStoreService loads the keystore file (1 + 2-to-4-per-token)
> times every eviction interval (default 5 minutes). That means, if there are
> 100 expired tokens and 100 unexpired tokens, the reaper will load the
> keystore file 601 times in one iteration.
> As the keystore file size increases, the already poor performance of loading
> this file degrades even more to the point that the token state reaper can
> consume 100% of the CPU.
> The reaper should operate on the in-memory token state as much as possible,
> and even remove expired token state in bulk (loading / writing the keystore
> file once for all).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
