[jira] [Commented] (OAK-6818) TokenAuthentication/TokenProviderImpl: cleanup expired tokens

Alex Deparvu (JIRA) Tue, 21 Nov 2017 00:18:01 -0800

    [ 
https://issues.apache.org/jira/browse/OAK-6818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16260404#comment-16260404
 ]


Alex Deparvu commented on OAK-6818:
-----------------------------------

I see some merge conflicts with while running the benchmark with increased 
concurrency. [0]
it's a {{deleteDeletedNode}}, multiple threads try to run cleanup at the same 
time. Not a big problem because the commit is selfcontained to the cleanup only 
and failing doesn't cause much trouble (tokens have been already partially 
removed).
But maybe just to consider adding some sort of probability to the cleanup job 
to reduce the pressure, as suggested by Thomas above.

[0]
{noformat}
o.a.j.o.p.commit.ConflictValidator - Commit failed due to unresolved conflicts 
in /rep:security/rep:authorizables/rep:users/testPath/user514/.tokens = 
{deleteDeletedNode = {439a85af-20fe-4dc3-8144-34d34bb482f3}}
org.apache.jackrabbit.oak.api.CommitFailedException: OakState0001: Unresolved 
conflicts in /rep:security/rep:authorizables/rep:users/testPath/user514/.tokens
    at 
org.apache.jackrabbit.oak.plugins.commit.ConflictValidator.failOnMergeConflict(ConflictValidator.java:115)
 [classes/:na]
    at 
org.apache.jackrabbit.oak.plugins.commit.ConflictValidator.propertyAdded(ConflictValidator.java:84)
 [classes/:na]
    at 
org.apache.jackrabbit.oak.spi.commit.CompositeEditor.propertyAdded(CompositeEditor.java:83)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.propertyAdded(EditorDiff.java:82)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.ModifiedNodeState.compareAgainstBaseState(ModifiedNodeState.java:395)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.ModifiedNodeState.compareAgainstBaseState(ModifiedNodeState.java:417)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.ModifiedNodeState.compareAgainstBaseState(ModifiedNodeState.java:417)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.ModifiedNodeState.compareAgainstBaseState(ModifiedNodeState.java:417)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.ModifiedNodeState.compareAgainstBaseState(ModifiedNodeState.java:417)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.ModifiedNodeState.compareAgainstBaseState(ModifiedNodeState.java:417)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:148)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.ModifiedNodeState.compareAgainstBaseState(ModifiedNodeState.java:417)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorDiff.process(EditorDiff.java:52) 
[oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.EditorHook.processCommit(EditorHook.java:55)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.CompositeHook.processCommit(CompositeHook.java:61)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.spi.commit.CompositeHook.processCommit(CompositeHook.java:61)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore$MemoryNodeStoreBranch.merge(MemoryNodeStore.java:295)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at 
org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore.merge(MemoryNodeStore.java:134)
 [oak-store-spi-1.8-SNAPSHOT.jar:1.8-SNAPSHOT]
    at org.apache.jackrabbit.oak.core.MutableRoot.commit(MutableRoot.java:250) 
[classes/:na]
    at 
org.apache.jackrabbit.oak.security.authentication.token.TokenProviderImpl.cleanupExpired(TokenProviderImpl.java:476)
 [classes/:na]
    at 
org.apache.jackrabbit.oak.security.authentication.token.TokenProviderImpl.createToken(TokenProviderImpl.java:241)
 [classes/:na]
    at 
org.apache.jackrabbit.oak.security.authentication.token.TokenProviderImpl.createToken(TokenProviderImpl.java:187)
 [classes/:na]
    at 
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule.commit(TokenLoginModule.java:167)
 [classes/:na]
{noformat} 

> TokenAuthentication/TokenProviderImpl: cleanup expired tokens
> -------------------------------------------------------------
>
>                 Key: OAK-6818
>                 URL: https://issues.apache.org/jira/browse/OAK-6818
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>             Fix For: 1.8
>
>         Attachments: OAK-6818-osgi-test.patch, OAK-6818.patch
>
>
> During token based authentication a given token node gets removed if it is 
> found to have expired in the mean time:
> Extract from {{TokenAuthentication.validateCredentials(TokenCredentials)}} as 
> it works today:
> {code}
>        [...]
>         if (tokenInfo.isExpired(loginTime)) {
>             tokenInfo.remove();
>             return false;
>         }
>        [...]
> {code}
> However, this doesn't cope with those cases where expired tokens are being 
> left behind without ever being caught by cleanup (e.g. new token issued and 
> never try to login with expired token). So, this issue is about an extension 
> that would allow to somehow/somewhen cleanup those tokens during 
> authentication. In order not to cause extra overhead to the login we should 
> set a limit (e.g. number of token nodes) that would only trigger the cleanup 
> every now and then and not doing it all the time.
> What also needs to be clarified/investigated: would cleanup only be triggered 
> in case of a failure?
> cc: [~stillalex], [~tmueller], [~chetanm], [~asanso]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (OAK-6818) TokenAuthentication/TokenProviderImpl: cleanup expired tokens

Reply via email to