Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-26830

JIRA is extremely slow when Nested group is enabled in LDAP and lone child-groups are imported due to improper search filter

XMLWordPrintable

      Nested enabled LDAP can be integrated with JIRA without a problem. If however due to poor search filter, lone child groups are imported, performance will greatly degrade. Upon reading the dump file, you will notice entries like:

      "Thread-547" daemon prio=10 tid=0x00002aaabc6c8000 nid=0x2cfc runnable [0x0000000060d12000]
   java.lang.Thread.State: RUNNABLE
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(SocketInputStream.java:129)
	at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
	at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
	at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
	- locked <0x00000006e4abab98> (a java.io.BufferedInputStream)
	at com.sun.jndi.ldap.Connection.run(Connection.java:820)
	at java.lang.Thread.run(Thread.java:662)


      "http-80-64" daemon prio=10 tid=0x00002aaac4f5f800 nid=0x136c runnable [0x0000000048210000]
   java.lang.Thread.State: RUNNABLE
	at java.lang.Throwable.fillInStackTrace(Native Method)
	- locked <0x00000007ffcd19f8> (a com.atlassian.crowd.exception.GroupNotFoundException)
	at java.lang.Throwable. (Throwable.java:218)
	at java.lang.Exception. (Exception.java:59)
	at com.atlassian.crowd.exception.CrowdException. (CrowdException.java:17)
	at com.atlassian.crowd.exception.ObjectNotFoundException. (ObjectNotFoundException.java:39)
	at com.atlassian.crowd.exception.GroupNotFoundException. (GroupNotFoundException.java:17)
	at com.atlassian.crowd.exception.GroupNotFoundException. (GroupNotFoundException.java:12)
	at com.atlassian.crowd.embedded.ofbiz.OfBizGroupDao.findByName(OfBizGroupDao.java:98)
	at com.atlassian.crowd.embedded.ofbiz.OfBizDelegatingMembershipDao.result(OfBizDelegatingMembershipDao.java:179)
	at com.atlassian.crowd.embedded.ofbiz.OfBizDelegatingMembershipDao.search(OfBizDelegatingMembershipDao.java:108)
	at com.atlassian.crowd.directory.AbstractInternalDirectory.searchGroupRelationships(AbstractInternalDirectory.java:749)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.searchGroupRelationships(DbCachingRemoteDirectory.java:575)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.searchDirectGroupRelationships(DirectoryManagerGeneric.java:864)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.isUserNestedGroupMember(DirectoryManagerGeneric.java:897)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.isUserNestedGroupMember(DirectoryManagerGeneric.java:872)
	at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.isUserNestedGroupMember(ApplicationServiceGeneric.java:1414)
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.isUserMemberOfGroup(CrowdServiceImpl.java:261)
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.isUserMemberOfGroup(CrowdServiceImpl.java:266)
	at com.atlassian.crowd.embedded.core.DelegatingCrowdService.isUserMemberOfGroup(DelegatingCrowdService.java:70)
	at com.atlassian.crowd.embedded.core.FilteredCrowdServiceImpl.isUserMemberOfGroup(FilteredCrowdServiceImpl.java:194)
	at com.atlassian.jira.security.type.GroupDropdown.hasPermission(GroupDropdown.java:105)
	at com.atlassian.jira.permission.DefaultPermissionSchemeManager.hasSchemePermission(DefaultPermissionSchemeManager.java:415)
	at com.atlassian.jira.permission.DefaultPermissionSchemeManager.hasPermission(DefaultPermissionSchemeManager.java:380)
	at com.atlassian.jira.permission.DefaultPermissionSchemeManager.hasSchemeAuthority(DefaultPermissionSchemeManager.java:323)
	at sun.reflect.GeneratedMethodAccessor588.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)

      This is due to the fact that Nested groups are expensive to calculate permissions for and this causes a lot of performance bottleneck. The thread dump above shows nested group memberships where the group does not exist, if this is common it will have a big impact on performance. This should not occur, but it seems possible if the LDAP configuration has changed and or these child groups have been removed.

      Workaround

      1. Use the below SQL query to determine lone child groups and have them deleted. 
        select * from cwd_membership where membership_type = 'GROUP_GROUP' and child_name not in (select group_name from cwd_group);
      2. Remove the rows returned above.
      3. Restart JIRA and re-synchronize your directory.
      4. Confirm that the above query returns no result

      This will definately have a great improvement in JIRA

              Unassigned Unassigned
              smaiyaki Sultan Maiyaki (Inactive)
              Votes:
              10 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: