Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35493

severe performance regression after SECURITY-243

    Details

    • Similar Issues:

      Description

      If you have a git changelog with lots of commits by different users and a non-local authentication scheme (basically anything other than the local database) then viewing that page now takes a lot longer as all the users in the commits need to be looked up in the security realm to see if they are valid authentication "users" or if it is just a "full name" that can be resolved from disk.

      There needs to be a way for plugins to say get me a user not for authentication purposes that can if the user has been saved on disk will return that in preference to not hitting the security realm to see if the user does indeed exist.

      setting hudson.model.User.SECURITY_243_FULL_DEFENSE=false helps but there should really be a separate API.

      WIthout this extra API all security realms need to implement multiple caches (a not found cache as well as a regular cache)

        Attachments

          Issue Links

            Activity

            teilo James Nord created issue -
            teilo James Nord made changes -
            Field Original Value New Value
            Project Security Issues [ 10180 ] Jenkins [ 10172 ]
            Key SECURITY-311 JENKINS-35493
            Workflow Security v1.2 [ 171796 ] JNJira [ 171796 ]
            Status Untriaged [ 10001 ] Open [ 1 ]
            Component/s core [ 15593 ]
            Component/s core [ 15738 ]
            Hide
            svanoort Sam Van Oort added a comment -

            It may be worth considering adding an API for raw author/committer Strings in changesets (similar to getAuthorName() in the GitChangeSet implementation) which does not require full user lookup (useful for cases like this).

            Show
            svanoort Sam Van Oort added a comment - It may be worth considering adding an API for raw author/committer Strings in changesets (similar to getAuthorName() in the GitChangeSet implementation) which does not require full user lookup (useful for cases like this).
            jglick Jesse Glick made changes -
            Labels regression performance regression
            jglick Jesse Glick made changes -
            Link This issue is blocking SECURITY-243 [ SECURITY-243 ]
            teilo James Nord made changes -
            Link This issue is related to JENKINS-35484 [ JENKINS-35484 ]
            Hide
            rsandell rsandell added a comment -

            For this particular slowness we could perhaps just add a chache to the affected area https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/model/User.java#L1058 so that we can get it in an earlier LTS and then expose an API at a later date.

            Show
            rsandell rsandell added a comment - For this particular slowness we could perhaps just add a chache to the affected area https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/model/User.java#L1058 so that we can get it in an earlier LTS and then expose an API at a later date.
            rsandell rsandell made changes -
            Assignee rsandell [ rsandell ]
            rsandell rsandell made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            rsandell rsandell made changes -
            Remote Link This issue links to "PR 2446 (Web Link)" [ 14635 ]
            rsandell rsandell made changes -
            Labels performance regression lts-candidate performance regression
            Hide
            swashbuck1r Spike Washburn added a comment -

            Daniel says resolvable since it is merged and the bot is broken.

            Show
            swashbuck1r Spike Washburn added a comment - Daniel says resolvable since it is merged and the bot is broken.
            swashbuck1r Spike Washburn made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 171797 ] JNJira + In-Review [ 199165 ]
            Hide
            olivergondza Oliver Gondža added a comment -

            rsandell, I am leaning towards not including this into 2.7.3 due to the complexity of the fix. Do you or somebody else feel strongly?

            Show
            olivergondza Oliver Gondža added a comment - rsandell , I am leaning towards not including this into 2.7.3 due to the complexity of the fix. Do you or somebody else feel strongly?
            Hide
            svanoort Sam Van Oort added a comment -

            Oliver Gondža It's a rather significant problem for anything interacting with SCM changesets, since the changeset APIs resolve users to Jenkins users – in many cases with slower remote security realms, performance without a cache can be bad enough that it will lock up a Jenkins master almost completely.

            On those grounds it would be a very strong candidate for inclusion.

            CC James Nord and Jesse Glick to add to the above, since they've also dealth first-hand with problems from the SECURITY-243 fix without caches.

            Show
            svanoort Sam Van Oort added a comment - Oliver Gondža It's a rather significant problem for anything interacting with SCM changesets, since the changeset APIs resolve users to Jenkins users – in many cases with slower remote security realms, performance without a cache can be bad enough that it will lock up a Jenkins master almost completely. On those grounds it would be a very strong candidate for inclusion. CC James Nord and Jesse Glick to add to the above, since they've also dealth first-hand with problems from the SECURITY-243 fix without caches.
            olivergondza Oliver Gondža made changes -
            Labels lts-candidate performance regression 2.7.3-fixed performance regression
            markewaite Mark Waite made changes -
            Link This issue is related to JENKINS-38065 [ JENKINS-38065 ]
            svanoort Sam Van Oort made changes -
            Link This issue is duplicated by JENKINS-39084 [ JENKINS-39084 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal OSS-1068 (Web Link)" [ 18780 ]

              People

              • Assignee:
                rsandell rsandell
                Reporter:
                teilo James Nord
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: