Commit Graph

10 Commits

Author SHA1 Message Date
Mike Danese 0326ed9810 migrate token cache to cache.Expiring
Kubernetes-commit: 3f194d5b413daeba93063f4610b9951069eaf13c
2019-11-06 16:23:21 -08:00
Mike Danese d8f26fe9f3 report cache mises in cached token authenticator benchmark
Kubernetes-commit: c5bfea65b9b45c01a09dfefeedffd13b8927140a
2019-11-12 12:40:19 -08:00
Mike Danese 61dd52533e adjust token cache benchmarks to get more accurate behavior
b.N is adjusted by pkg/testing using an internal heuristic:

> The benchmark function must run the target code b.N times. During
> benchmark execution, b.N is adjusted until the benchmark function
> lasts long enough to be timed reliably.

Using b.N to seed other parameters makes the benchmark behavior
difficult to reason about. Before this change, thread count in the
CachedTokenAuthenticator benchmark is always 5000, and batch size is
almost always 1 when I run this locally. SimpleCache and StripedCache
benchmarks had similarly strange scaling.

After modifying CachedTokenAuthenticator to only adjust iterations based
on b.N, the batch chan was an point of contention and I wasn't able to
see any significant CPU consumption. This was fixed by using
ParallelBench to do the batching, rather than using a chan.

Kubernetes-commit: 43d34882c9b3612d933b97b6e470fd8d36fe492b
2019-10-26 14:12:41 -07:00
Daniel Smith 168addcfe5 Add an authn cache benchmark
Kubernetes-commit: 420a44da0138cb64fa5d4e9fab79d8be3527ffd8
2019-10-08 13:34:51 -07:00
Monis Khan c2289feb1e Hash keys used in cached token authenticator
It is possible to configure the token cache to cache failures.  We
allow 1 MB of headers per request, meaning a malicious actor could
cause the cache to use a large amount of memory by filling it with
large invalid tokens.  This change hashes the token before using it
as a key.  Measures have been taken to prevent precomputation
attacks.  SHA 256 is used as the hash to prevent collisions.

Signed-off-by: Monis Khan <mkhan@redhat.com>

Kubernetes-commit: 9a547bca8e6e15273bfafd3496aa6524fd7d35bd
2019-10-11 15:21:34 -04:00
Mike Danese 0bf5dcd764 remove webhook cache implementation and replace with the token cache
The striped cache used by the token cache is slightly more sophisticated
however the simple cache provides about the same exact behavior. I used
the striped cache rather than the simple cache because:

* It has been used without issue as the primary token cache.
* It preforms better under load.
* It is already exposed in the public API of the token cache package.

Kubernetes-commit: 0ec4d6d396f237ccb3ae0e96922a90600befb83d
2018-10-30 12:41:46 -07:00
Mike Danese 1692373df9 move audience context functions to authenticator package
Kubernetes-commit: 817cf70191b73d1ee9f4e7af83089e5854e5131d
2018-10-31 14:50:11 -07:00
Mike Danese 908a04653f make token cache include audience in hash key
Kubernetes-commit: 809f278b032103cd24fcbb5ea2196c6c7caa6f63
2018-10-16 10:02:01 -07:00
Mike Danese 2ced48ac6e rebase authenticators onto new interface.
Kubernetes-commit: e5227216c0796d725c695e36cfc1d54e7631d3a6
2018-10-15 15:17:36 -07:00
Jordan Liggitt 80d2e2dae5 Add token cache component
Kubernetes-commit: 1670ba58d5425caecbde8871b07521e9e5888f78
2017-08-29 13:15:24 +00:00