Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: AMQ 7.11.0.GA
Affects Version/s: AMQ 7.8.0.GA
Component/s: broker-core, security
Labels:

Blocked:
True
Blocked Reason:
Broker critically slow down for continuously LDAP requests.
Ready:
False
Affects:

Migration
GSS Priority:
Target Release:

AMQ 7.11.0.GA
Upstream Jira:
https://issues.apache.org/jira/browse/ARTEMIS-4146
Workaround Description:

Hide

none

Show
none
Steps to Reproduce:
Hide

Configure a Broker with LDAP and continuosly send and receive messages using one user for more time than the case expiration timeout (10000ms by default).

Using the following Bytema rules, it's possible to recognize that the cache is loaded just before the expiration but not after.

RULE Trace LDAPLoginModule-addRoles CLASS org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule METHOD addRoles AT ENTRY IF TRUE DO #traceStack("LDAPLoginModule#addRoles:\n", 20) traceln("###LDAPLoginModule#addRoles") ENDRULE RULE Trace SecurityStoreImpl-checkAuthorizationCache-act CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl METHOD checkAuthorizationCache AFTER WRITE $act IF $act == null DO traceln("###checkAuthorizationCache:NOT IN GUAVA CACHE\n"+$0+"\n"+$1+"\n"+$2+"\n"+$3); traceln("###checkAuthorizationCache:Cache "+$this.authorizationCache.hashCode()+"\n\t"+$this.authorizationCache.asMap()); ENDRULE RULE Trace SecurityStoreImpl-constructor CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl METHOD <init> AT EXIT IF TRUE DO traceln("###SecurityStoreImpl-constructor:Guava Cache\ninvalidationInterval:"+$3+"\nauthenticationCacheSize:"+$8+"\nauthorizationCacheSize:"+$9) ENDRULE RULE Trace Cache-put INTERFACE com.google.common.cache.Cache METHOD put AT EXIT IF TRUE DO traceln("###put:Cache put ["+$1+","+$2+"]"); traceln("###put:Cache "+$this.hashCode()+"\n\t"+$this.asMap()); ENDRULE RULE Trace Cache-isExpired CLASS com.google.common.cache.LocalCache METHOD isExpired AT EXIT BIND expired:boolean = $!; IF expired DO traceln("###expired:"+$1.hashCode()); ENDRULE
Show
Configure a Broker with LDAP and continuosly send and receive messages using one user for more time than the case expiration timeout (10000ms by default). Using the following Bytema rules, it's possible to recognize that the cache is loaded just before the expiration but not after. RULE Trace LDAPLoginModule-addRoles CLASS org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule METHOD addRoles AT ENTRY IF TRUE DO #traceStack( "LDAPLoginModule#addRoles:\n" , 20) traceln( "###LDAPLoginModule#addRoles" ) ENDRULE RULE Trace SecurityStoreImpl-checkAuthorizationCache-act CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl METHOD checkAuthorizationCache AFTER WRITE $act IF $act == null DO traceln( "###checkAuthorizationCache:NOT IN GUAVA CACHE\n" +$0+ "\n" +$1+ "\n" +$2+ "\n" +$3); traceln( "###checkAuthorizationCache:Cache " +$ this .authorizationCache.hashCode()+ "\n\t" +$ this .authorizationCache.asMap()); ENDRULE RULE Trace SecurityStoreImpl-constructor CLASS org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl METHOD <init> AT EXIT IF TRUE DO traceln( "###SecurityStoreImpl-constructor:Guava Cache\ninvalidationInterval:" +$3+ "\nauthenticationCacheSize:" +$8+ "\nauthorizationCacheSize:" +$9) ENDRULE RULE Trace Cache-put INTERFACE com.google.common.cache.Cache METHOD put AT EXIT IF TRUE DO traceln( "###put:Cache put [" +$1+ "," +$2+ "]" ); traceln( "###put:Cache " +$ this .hashCode()+ "\n\t" +$ this .asMap()); ENDRULE RULE Trace Cache-isExpired CLASS com.google.common.cache.LocalCache METHOD isExpired AT EXIT BIND expired: boolean = $!; IF expired DO traceln( "###expired:" +$1.hashCode()); ENDRULE
Intelligence Requested:
Market:

Severity:
Critical

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

At the first request, authorization are cached in the authorization cache. When the cache expires, the Broker is not able anymore to fill the cache and continuously request login until the client disconnect/reconnect. This create flood of requests to the Authorization provider, that is critical if it's LDAP.

It seems because the SecurityStore, at a cache miss, reload the Subject but doesn't cache it anymore. SecurityStoreImpl.java#L396

is cloned by

ENTMQBR-7863 [LTS] Authorizations not cached anymore after cache expiration

Closed

Assignee:: Justin Bertram

Reporter:: Antonio Gagliardi

Tester:: Samuel Gajdos

Involved:: Michal Toth

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/01/26 9:08 AM

Updated:: 2023/04/18 5:53 AM

Resolved:: 2023/03/28 9:28 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates