Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Add worker pool for LDAP group lookup into release/1.13.x #22703

Merged
merged 3 commits into from Sep 1, 2023
Merged

Backport of Add worker pool for LDAP group lookup into release/1.13.x #22703

merged 3 commits into from Sep 1, 2023

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #22659 to be assessed for backporting due to the inclusion of the label backport/1.13.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@jasonodonnell
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/vault/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

This PR aims to make LDAP group lookup more performant by adding a worker pool for group searches. Specifically this is helpful when use_token_groups=true and we need to look up every group individually in LDAP associated with the user.

In my testing where a LDAP user is a member of 300 LDAP groups and has 300 policies mapped to those groups I see significant performance increase by using a worker pool:

Before:

$ time vault login -method=ldap username=bob password=password
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIN2lzMYdtMMQ31k5MoBccnS8exljazJc6ahv40RN9sfJGh4KHGh2cy5kSGFyS3diVXNPRmIwWG5pdkw4OWV2Sjg
token_accessor         rOEMnAWD9hUWMqUL1Md5ko84
token_duration         768h
token_renewable        true
...

real	0m16.168s
user	0m0.057s
sys	0m0.027s

After:

$ time vault login -method=ldap username=bob password=password
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIE311YhuFnlcsN2BYJKc0dnOnMNMnXLRBOMxpaXcD1s5Gh4KHGh2cy5iZjc0dkx5ZjdHVFBySUxiUERmTGpMSXg
token_accessor         n8QwGvA5HDXIcfB77FaT3hye
token_duration         768h
token_renewable        true
...

real	0m2.303s
user	0m0.059s
sys	0m0.029s
Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/ldap-group-search/actually-first-caiman branch from 716aa13 to ff21309 Compare August 31, 2023 19:34
@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/ldap-group-search/actually-first-caiman branch from ff21309 to 716aa13 Compare August 31, 2023 19:34
@hashicorp-cla
Copy link

hashicorp-cla commented Aug 31, 2023
edited

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Aug 31, 2023
@jasonodonnell
Add worker pool for LDAP group lookup (#22659)
355cc34 
* Add worker pool for LDAP group lookup

* changelog

* Add lock

* derefAliases disappeared
@jasonodonnell jasonodonnell force-pushed the backport/ldap-group-search/actually-first-caiman branch from 1628d0d to 355cc34 Compare August 31, 2023 19:42
@jasonodonnell jasonodonnell marked this pull request as ready for review August 31, 2023 19:42
@jasonodonnell jasonodonnell added this to the 1.13.7 milestone Aug 31, 2023
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

@jasonodonnell jasonodonnell enabled auto-merge (squash) September 1, 2023 12:07
@jasonodonnell jasonodonnell merged commit fa9c963 into release/1.13.x Sep 1, 2023
86 checks passed
@jasonodonnell jasonodonnell deleted the backport/ldap-group-search/actually-first-caiman branch September 1, 2023 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.13.7
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hc-github-team-secure-vault-core @hashicorp-cla @jasonodonnell