treeverse · idanovo · May 24, 2022 · May 22, 2022 · May 22, 2022 · May 22, 2022
diff --git a/cmd/lakefs/cmd/run.go b/cmd/lakefs/cmd/run.go
@@ -164,14 +164,15 @@ var runCmd = &cobra.Command{
 				cfg.GetAuthCacheConfig(),
 				logger.WithField("service", "auth_service"))
 		}
-		authenticator := auth.ChainAuthenticator{
+		middlewareAuthenticator := auth.ChainAuthenticator{
 			auth.NewBuiltinAuthenticator(authService),
-			auth.NewEmailAuthenticator(authService),
 		}
 		ldapConfig := cfg.GetLDAPConfiguration()
 		if ldapConfig != nil {
-			authenticator = append(authenticator, newLDAPAuthenticator(ldapConfig, authService))
+			middlewareAuthenticator = append(middlewareAuthenticator, newLDAPAuthenticator(ldapConfig, authService))
 		}
+		controllerAuthenticator := append(middlewareAuthenticator, auth.NewEmailAuthenticator(authService))
+
 		authMetadataManager := auth.NewDBMetadataManager(version.Version, cfg.GetFixedInstallationID(), dbPool)
 		cloudMetadataProvider := stats.BuildMetadataProvider(logger, cfg)
 		blockstoreType := cfg.GetBlockstoreType()
@@ -236,7 +237,8 @@ var runCmd = &cobra.Command{
 		apiHandler := api.Serve(
 			cfg,
 			c,
-			authenticator,
+			middlewareAuthenticator,
+			controllerAuthenticator,
 			authService,
 			blockStore,
 			authMetadataManager,

diff --git a/design/open/evict-user-from-auth-cache-on-reset-password.md b/design/open/evict-user-from-auth-cache-on-reset-password.md
@@ -0,0 +1,13 @@
+## The problem: 
+When a user logs in to lakeFS we save their credentials in the auth-cache. 
+This way, we avoid checking the usr credentials through the DB on each call the user makes. 
+Currently, when users try to reset their password, their old password is still stored in the auth-cache, so they have to wait till it's evicted before they log in using the new password.
+
+
+## The suggested solution: 
+The intuitive solution is just to evict the users from the auth cache when resetting their password. 
+The problem with this solution is that we might not necessarily have a centralized cache, so we might need to evict the user for every auth cache he exists in. 
+This is why the simpler solution here might be just to not use auth cache for email-password authentication. 
+This way, we still won't need to authenticate when users use API calls that use access-key and secret for authentication and won't need to do the effort of evicting the user auth from all the auth cache instances.
+In case we decide to go with this solution, we have to enable email/password authentication only through the UI.
+Otherwise, user might try to use email/password authentication with our Python/Java client and won't have their credentials cached.
diff --git a/pkg/api/serve.go b/pkg/api/serve.go
@@ -41,7 +41,8 @@ type responseError struct {
 func Serve(
 	cfg *config.Config,
 	catalog catalog.Interface,
-	authenticator auth.Authenticator,
+	middlewareAuthenticator auth.Authenticator,
+	controllerAuthenticator auth.Authenticator,
 	authService auth.Service,
 	blockAdapter block.Adapter,
 	metadataManager auth.MetadataManager,
@@ -68,14 +69,14 @@ func Serve(
 			RequestIDHeaderName,
 			logging.Fields{logging.ServiceNameFieldKey: LoggerServiceName},
 			cfg.GetLoggingTraceRequestHeaders()),
-		AuthMiddleware(logger, swagger, authenticator, authService),
+		AuthMiddleware(logger, swagger, middlewareAuthenticator, authService),
 		MetricsMiddleware(swagger),
 	)
 
 	controller := NewController(
 		cfg,
 		catalog,
-		authenticator,
+		controllerAuthenticator,
 		authService,
 		blockAdapter,
 		metadataManager,

diff --git a/pkg/api/serve_test.go b/pkg/api/serve_test.go
@@ -117,7 +117,7 @@ func setupHandlerWithWalkerFactory(t testing.TB, factory catalog.WalkerFactory,
 	emailParams, _ := cfg.GetEmailParams()
 	emailer, err := email.NewEmailer(emailParams)
 	testutil.Must(t, err)
-	handler := api.Serve(cfg, c, authenticator, authService, c.BlockAdapter, meta, migrator, collector, nil, actionsService, auditChecker, logging.Default(), emailer, nil)
+	handler := api.Serve(cfg, c, authenticator, authenticator, authService, c.BlockAdapter, meta, migrator, collector, nil, actionsService, auditChecker, logging.Default(), emailer, nil)
 
 	return handler, &dependencies{
 		blocks:      c.BlockAdapter,

diff --git a/pkg/auth/cache.go b/pkg/auth/cache.go
@@ -15,14 +15,12 @@ type Cache interface {
 	GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
 	GetUser(username string, setFn UserSetFn) (*model.User, error)
 	GetUserByID(userID int64, setFn UserSetFn) (*model.User, error)
-	GetUserByEmail(userEmail string, setFn UserSetFn) (*model.User, error)
 	GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
 }
 
 type LRUCache struct {
 	credentialsCache cache.Cache
 	userCache        cache.Cache
-	userEmailCache   cache.Cache
 	policyCache      cache.Cache
 }
 
@@ -31,7 +29,6 @@ func NewLRUCache(size int, expiry, jitter time.Duration) *LRUCache {
 	return &LRUCache{
 		credentialsCache: cache.NewCache(size, expiry, jitterFn),
 		userCache:        cache.NewCache(size, expiry, jitterFn),
-		userEmailCache:   cache.NewCache(size, expiry, jitterFn),
 		policyCache:      cache.NewCache(size, expiry, jitterFn),
 	}
 }
@@ -60,14 +57,6 @@ func (c *LRUCache) GetUserByID(userID int64, setFn UserSetFn) (*model.User, erro
 	return v.(*model.User), nil
 }
 
-func (c *LRUCache) GetUserByEmail(userEmail string, setFn UserSetFn) (*model.User, error) {
-	v, err := c.userEmailCache.GetOrSet(userEmail, func() (interface{}, error) { return setFn() })
-	if err != nil {
-		return nil, err
-	}
-	return v.(*model.User), nil
-}
-
 func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error) {
 	v, err := c.policyCache.GetOrSet(userID, func() (interface{}, error) { return setFn() })
 	if err != nil {

diff --git a/pkg/auth/service.go b/pkg/auth/service.go
@@ -299,15 +299,13 @@ func (s *DBAuthService) GetUser(ctx context.Context, username string) (*model.Us
 }
 
 func (s *DBAuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error) {
-	return s.cache.GetUserByEmail(email, func() (*model.User, error) {
-		user, err := s.db.Transact(ctx, func(tx db.Tx) (interface{}, error) {
-			return getUserByEmail(tx, email)
-		}, db.ReadOnly())
-		if err != nil {
-			return nil, err
-		}
-		return user.(*model.User), nil
-	})
+	user, err := s.db.Transact(ctx, func(tx db.Tx) (interface{}, error) {
+		return getUserByEmail(tx, email)
+	}, db.ReadOnly())
+	if err != nil {
+		return nil, err
+	}
+	return user.(*model.User), nil
 }
 
 func (s *DBAuthService) GetUserByID(ctx context.Context, userID int64) (*model.User, error) {

diff --git a/pkg/loadtest/local_load_test.go b/pkg/loadtest/local_load_test.go
@@ -104,6 +104,7 @@ func TestLocalLoad(t *testing.T) {
 		conf,
 		c,
 		authenticator,
+		authenticator,
 		authService,
 		blockAdapter,
 		meta,