maintain a static map of trusted roles for resource list lookup api #2476
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
when we get large number of simultaneous listResourceAccess calls, all try to get the current list of trust roles setup in the server. This could get quite large so all the threads are busy getting large number of rows from DB. However, in most cases, those never change so there is no need to fetch the list for every request. So now we're maintaining a static map of the roles to address the case with large simultaneous calls:
a) by default we drop the map every 10 minutes so any deletions to the rows can be reflected in 10 minutes. This could be changed by the specifying the different value for the athenz.zms.mysql_server_trust_roles_update_timeout property value in milliseconds (default 600,000).
b) we check the last modification timestamp of the policy that has an assertion with assume_role action. this way new assertions are in effect immediately
Contribution Checklist:
Attach Screenshots (Optional)