Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Add worker pool for LDAP group lookup into release/1.14.x #22704

Merged
merged 1 commit into from
Sep 1, 2023
Merged

Backport of Add worker pool for LDAP group lookup into release/1.14.x #22704

merged 1 commit into from
Sep 1, 2023

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #22659 to be assessed for backporting due to the inclusion of the label backport/1.14.x.

The below text is copied from the body of the original PR.

This PR aims to make LDAP group lookup more performant by adding a worker pool for group searches. Specifically this is helpful when use_token_groups=true and we need to look up every group individually in LDAP associated with the user.

In my testing where a LDAP user is a member of 300 LDAP groups and has 300 policies mapped to those groups I see significant performance increase by using a worker pool:

Before:

$ time vault login -method=ldap username=bob password=password
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIN2lzMYdtMMQ31k5MoBccnS8exljazJc6ahv40RN9sfJGh4KHGh2cy5kSGFyS3diVXNPRmIwWG5pdkw4OWV2Sjg
token_accessor         rOEMnAWD9hUWMqUL1Md5ko84
token_duration         768h
token_renewable        true
...

real	0m16.168s
user	0m0.057s
sys	0m0.027s

After:

$ time vault login -method=ldap username=bob password=password
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIE311YhuFnlcsN2BYJKc0dnOnMNMnXLRBOMxpaXcD1s5Gh4KHGh2cy5iZjc0dkx5ZjdHVFBySUxiUERmTGpMSXg
token_accessor         n8QwGvA5HDXIcfB77FaT3hye
token_duration         768h
token_renewable        true
...

real	0m2.303s
user	0m0.059s
sys	0m0.029s
Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/ldap-group-search/indirectly-known-pug branch from f3470c0 to 5a97f4a Compare August 31, 2023 19:34
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Aug 31, 2023
@jasonodonnell jasonodonnell added this to the 1.14.3 milestone Aug 31, 2023
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

@jasonodonnell jasonodonnell merged commit ab54eb7 into release/1.14.x Sep 1, 2023
91 of 92 checks passed
@jasonodonnell jasonodonnell deleted the backport/ldap-group-search/indirectly-known-pug branch September 1, 2023 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.14.3
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hc-github-team-secure-vault-core @jasonodonnell