Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add worker pool for LDAP group lookup #22659

Merged
merged 6 commits into from
Aug 31, 2023
Merged

Add worker pool for LDAP group lookup #22659

merged 6 commits into from
Aug 31, 2023

Conversation

jasonodonnell
Copy link
Contributor

This PR aims to make LDAP group lookup more performant by adding a worker pool for group searches. Specifically this is helpful when use_token_groups=true and we need to look up every group individually in LDAP associated with the user.

In my testing where a LDAP user is a member of 300 LDAP groups and has 300 policies mapped to those groups I see significant performance increase by using a worker pool:

Before:

$ time vault login -method=ldap username=bob password=password
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIN2lzMYdtMMQ31k5MoBccnS8exljazJc6ahv40RN9sfJGh4KHGh2cy5kSGFyS3diVXNPRmIwWG5pdkw4OWV2Sjg
token_accessor         rOEMnAWD9hUWMqUL1Md5ko84
token_duration         768h
token_renewable        true
...

real	0m16.168s
user	0m0.057s
sys	0m0.027s

After:

$ time vault login -method=ldap username=bob password=password
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIE311YhuFnlcsN2BYJKc0dnOnMNMnXLRBOMxpaXcD1s5Gh4KHGh2cy5iZjc0dkx5ZjdHVFBySUxiUERmTGpMSXg
token_accessor         n8QwGvA5HDXIcfB77FaT3hye
token_duration         768h
token_renewable        true
...

real	0m2.303s
user	0m0.059s
sys	0m0.029s

@jasonodonnell jasonodonnell added this to the 1.14.3 milestone Aug 30, 2023
@jasonodonnell jasonodonnell requested review from a team August 30, 2023 18:06
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Aug 30, 2023
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

github-actions bot commented Aug 30, 2023
edited
Loading

CI Results:
All Go tests succeeded! ✅

@mpalmi
Copy link
Contributor

mpalmi commented Aug 30, 2023

Good stuff! Thanks for looking into the race.

raymonstah
raymonstah approved these changes Aug 30, 2023
View reviewed changes
Copy link
Contributor

@raymonstah raymonstah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice improvement. Tagging @jimlambrt in case we want to port these changes to the cap/ldap package as well.

austingebauer
austingebauer approved these changes Aug 31, 2023
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice improvement! Thanks @jasonodonnell 👍

sdk/helper/ldaputil/client.go Show resolved Hide resolved
@jasonodonnell jasonodonnell enabled auto-merge (squash) August 31, 2023 19:19
@jasonodonnell jasonodonnell merged commit 4e963c4 into main Aug 31, 2023
96 checks passed
@jasonodonnell jasonodonnell deleted the ldap-group-search branch August 31, 2023 19:34
This was referenced Aug 31, 2023
Merged
Merged
Merged
jasonodonnell added a commit that referenced this pull request Aug 31, 2023
@jasonodonnell
Add worker pool for LDAP group lookup (#22659)
355cc34 
* Add worker pool for LDAP group lookup

* changelog

* Add lock

* derefAliases disappeared
jasonodonnell added a commit that referenced this pull request Aug 31, 2023
@jasonodonnell
Add worker pool for LDAP group lookup (#22659)
693694b 
* Add worker pool for LDAP group lookup

* changelog

* Add lock

* derefAliases disappeared
jasonodonnell added a commit that referenced this pull request Sep 1, 2023
@hc-github-team-secure-vault-core @jasonodonnell
Backport of Add worker pool for LDAP group lookup into release/1.12.x (
fb6e64e 
…#22702)

* Add worker pool for LDAP group lookup (#22659)

* Add worker pool for LDAP group lookup

* changelog

* Add lock

* derefAliases disappeared

* Remove deref

---------

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
jasonodonnell added a commit that referenced this pull request Sep 1, 2023
@hc-github-team-secure-vault-core @jasonodonnell
Backport of Add worker pool for LDAP group lookup into release/1.13.x (
fa9c963 
…#22703)

* Add worker pool for LDAP group lookup (#22659)

* Add worker pool for LDAP group lookup

* changelog

* Add lock

* derefAliases disappeared

* Remove deref

* fmt

---------

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
@jimlambrt jimlambrt mentioned this pull request Sep 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpalmi mpalmi mpalmi approved these changes

@austingebauer austingebauer austingebauer approved these changes

@raymonstah raymonstah raymonstah approved these changes

Assignees
No one assigned
Labels
auth/ldap hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.14.3
Development

Successfully merging this pull request may close these issues.
4 participants
@jasonodonnell @mpalmi @raymonstah @austingebauer