Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-7628

Authorizations not cached anymore after cache expiration

    XMLWordPrintable

Details

    • True
    • Broker critically slow down for continuously LDAP requests.
    • False
    • Migration
    • Hide

      none

      Show
      none
    • Hide

      Configure a Broker with LDAP and continuosly send and receive messages using one user for more time than the case expiration timeout (10000ms by default).

      Using the following Bytema rules, it's possible to recognize that the cache is loaded just before the expiration but not after.

      RULE Trace LDAPLoginModule-addRoles
CLASS org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule
METHOD addRoles
AT ENTRY
  IF TRUE    
    DO 
    #traceStack("LDAPLoginModule#addRoles:\n", 20)
    traceln("###LDAPLoginModule#addRoles")
ENDRULE

RULE Trace SecurityStoreImpl-checkAuthorizationCache-act
CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl
METHOD checkAuthorizationCache
AFTER WRITE $act
IF  $act == null
  DO traceln("###checkAuthorizationCache:NOT IN GUAVA CACHE\n"+$0+"\n"+$1+"\n"+$2+"\n"+$3);
     traceln("###checkAuthorizationCache:Cache "+$this.authorizationCache.hashCode()+"\n\t"+$this.authorizationCache.asMap());
ENDRULE

RULE Trace SecurityStoreImpl-constructor
CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl
METHOD <init>
AT EXIT
  IF TRUE
  DO traceln("###SecurityStoreImpl-constructor:Guava Cache\ninvalidationInterval:"+$3+"\nauthenticationCacheSize:"+$8+"\nauthorizationCacheSize:"+$9)
ENDRULE

RULE Trace Cache-put
INTERFACE com.google.common.cache.Cache
METHOD put
AT EXIT
  IF TRUE
    DO traceln("###put:Cache put ["+$1+","+$2+"]");
    traceln("###put:Cache "+$this.hashCode()+"\n\t"+$this.asMap());
ENDRULE

RULE Trace Cache-isExpired
CLASS com.google.common.cache.LocalCache
METHOD isExpired
AT EXIT
BIND expired:boolean = $!; 
  IF expired
    DO traceln("###expired:"+$1.hashCode());
ENDRULE
      Show
      Configure a Broker with LDAP and continuosly send and receive messages using one user for more time than the case expiration timeout (10000ms by default). Using the following Bytema rules, it's possible to recognize that the cache is loaded just before the expiration but not after. RULE Trace LDAPLoginModule-addRoles CLASS org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule METHOD addRoles AT ENTRY IF TRUE DO #traceStack( "LDAPLoginModule#addRoles:\n" , 20) traceln( "###LDAPLoginModule#addRoles" ) ENDRULE RULE Trace SecurityStoreImpl-checkAuthorizationCache-act CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl METHOD checkAuthorizationCache AFTER WRITE $act IF $act == null DO traceln( "###checkAuthorizationCache:NOT IN GUAVA CACHE\n" +$0+ "\n" +$1+ "\n" +$2+ "\n" +$3); traceln( "###checkAuthorizationCache:Cache " +$ this .authorizationCache.hashCode()+ "\n\t" +$ this .authorizationCache.asMap()); ENDRULE RULE Trace SecurityStoreImpl-constructor CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl METHOD <init> AT EXIT IF TRUE DO traceln( "###SecurityStoreImpl-constructor:Guava Cache\ninvalidationInterval:" +$3+ "\nauthenticationCacheSize:" +$8+ "\nauthorizationCacheSize:" +$9) ENDRULE RULE Trace Cache-put INTERFACE com.google.common.cache.Cache METHOD put AT EXIT IF TRUE DO traceln( "###put:Cache put [" +$1+ "," +$2+ "]" ); traceln( "###put:Cache " +$ this .hashCode()+ "\n\t" +$ this .asMap()); ENDRULE RULE Trace Cache-isExpired CLASS com.google.common.cache.LocalCache METHOD isExpired AT EXIT BIND expired: boolean = $!; IF expired DO traceln( "###expired:" +$1.hashCode()); ENDRULE
    • Critical

    Description

      At the first request, authorization are cached in the authorization cache. When the cache expires, the Broker is not able anymore to fill the cache and continuously request login until the client disconnect/reconnect. This create flood of requests to the Authorization provider, that is critical if it's LDAP.

      It seems because the SecurityStore, at a cache miss, reload the Subject but doesn't cache it anymore. SecurityStoreImpl.java#L396

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-7863 [LTS] Authorizations not cached anymore after cache expiration

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              rhn-support-jbertram Justin Bertram
              rhn-support-agagliar Antonio Gagliardi
              Samuel Gajdos Samuel Gajdos
              Michal Toth
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: