ApiKeyAuthCache now expires after access instead of write (#73982) #74105
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
) API key authCache is set to expire after write (by default 24 hours). ExpireAfterWrite is generally preferred over expireAfterAccess because it guarantees stale entries get evicted eventually in edge cases, e.g. when the cache misses a notification from the cluster. However, things are a bit different for the authCache. There is an additional roundtrip to the security index for fetching the API key document. If the document does not exists (removed due to expiration) or is invalidated, the authentication fails earlier on without even consulting the authCache. This means the stale entries won't cause any security issues when they exist. Therefore, this PR changes the authCache to be expire after access, which helps preventing potential cyclic surge of expensive hash computations especially when a large number of API keys are in use. To further help the cache efficiency, this PR also actively invalidates the authCache if the document is either not found or invalidated so it does not have to wait for 24 hour to happen. Note that these are all edge cases and we don't expect them to happen often (if at all).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
API key authCache is set to expire after write (by default 24 hours).
ExpireAfterWrite is generally preferred over expireAfterAccess because it
guarantees stale entries get evicted eventually in edge cases, e.g. when the
cache misses a notification from the cluster.
However, things are a bit different for the authCache. There is an additional
roundtrip to the security index for fetching the API key document. If the
document does not exists (removed due to expiration) or is invalidated, the
authentication fails earlier on without even consulting the authCache. This
means the stale entries won't cause any security issues when they exist.
Therefore, this PR changes the authCache to be expire after access, which helps
preventing potential cyclic surge of expensive hash computations especially
when a large number of API keys are in use.
To further help the cache efficiency, this PR also actively invalidates the
authCache if the document is either not found or invalidated so it does not
have to wait for 24 hour to happen. Note that these are all edge cases and we
don't expect them to happen often (if at all).