Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A dead LDAP upstream can block the authentication and show global variables. #51883

Closed
YangKeao opened this issue Mar 19, 2024 · 2 comments · Fixed by #51927 · May be fixed by #51912
Closed

A dead LDAP upstream can block the authentication and show global variables. #51883

YangKeao opened this issue Mar 19, 2024 · 2 comments · Fixed by #51927 · May be fixed by #51912
Assignees
@YangKeao
Labels
affects-7.1 sig/sql-infra SIG: SQL Infra type/enhancement

Comments

@YangKeao
Copy link
Member

YangKeao commented Mar 19, 2024
edited

Enhancement

Some functions about LDAP don't have timeout mechanism (e.g. StartTLS), therefore, the RLock of it cannot be released until the upstream returns.

I'd like to address the following enhancement:

  1. Don't include any network / IO in the RLock. An RLock in golang can block the Lock, and a pending write lock will blocks all other RLock, which will make the things much worse.
  2. Add timeout mechanism for LDAP functions.
  3. Add metrics for them.
@YangKeao YangKeao self-assigned this Mar 19, 2024
@YangKeao YangKeao mentioned this issue Mar 19, 2024
Open
5 tasks
@aki263
Copy link

aki263 commented Mar 19, 2024

@YangKeao
We should also add caching creds for upto a minutes so we dont DDoS LDAP sever.

@YangKeao YangKeao mentioned this issue Mar 20, 2024
Merged
5 tasks
@YangKeao
Copy link
Member Author

@aki263 Good suggestion.

TiDB has a mechanism to retry to establish connection with the LDAP server (for 10 times), when it fails. I'll add some backoff to avoid retrying too frequently. I think it'll help a lot to limit the request frequency.

Cache on authentication needs more consideration/discussion, because the latency of cache invalidation is not always expected (especially when it's related to security) 🤔 .

ti-chi-bot bot pushed a commit that referenced this issue Mar 20, 2024
@YangKeao
ldap: add timeout and retry-backoff for ldap (#51927)
d940619 
close #51883
@YangKeao YangKeao added the sig/sql-infra SIG: SQL Infra label Mar 20, 2024
This was referenced Mar 20, 2024
Merged
Merged
ti-chi-bot bot pushed a commit that referenced this issue Mar 20, 2024
@ti-chi-bot
ldap: add timeout and retry-backoff for ldap (#51927) (#51941)
5d20f4f 
close #51883
@ti-chi-bot ti-chi-bot mentioned this issue Apr 12, 2024
Open
5 tasks
ti-chi-bot bot pushed a commit that referenced this issue Apr 12, 2024
@ti-chi-bot
ldap: add timeout and retry-backoff for ldap (#51927) (#51943)
425cda9 
close #51883
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YangKeao YangKeao

Labels
affects-7.1 sig/sql-infra SIG: SQL Infra type/enhancement
Projects
None yet
Milestone
No milestone
3 participants
@YangKeao @aki263 @ti-chi-bot