Details
-
Suggestion
-
Resolution: Fixed
-
7
-
Description
The performance improvements of bots-login do not require any extra configuration. All successful frequent authentication actions will benefit from this fix. More about the fix: https://confluence.atlassian.com/jirakb/user-login-jira-stats-logs-1108675859.html
Some numbers from our performance tests:
- 8-node cluster with 50k users defined in LDAP
- set of users logging concurrently to all nodes for ~1 hour
- before fix: 900k log-in actions with 99p taking 1.5 seconds, max 15 seconds
- after fix: 10M log-in actions with 99p taking 100 milliseconds, max 2 seconds
- frequent log-in actions triggers will not trigger: remote directory actions, DB updated, replicated cache updates
Problem Definition
Basic authentication for REST API call has a performance overhead. There are a couple of things which contribute to that:
- Authentication itself, also a possible roundtrip to LDAP/AD/Crowd server
- Updating (refreshing) user attributes from LDAP
- Updating login attempt data recordLoginAttempt
- Updating UserAttrubutes with updateLastLoginTime
- EventPublishing Security event
Suggested Solution
Add option to configure automation (service) user account which has fewer actions during login (auth):
- Doesn't update Login counter for every successful login (possibly every X requests)
- Doesn't update LastLoginTime for every login
- Doesn't update user attributes from LDAP for every login (example updateUserFromRemoteDirectory method)
Possible solution:
OAuth 2.0 authorization via tokenization should allow for users to self generate a token in order to provide a secure and easy way to integrate their apps at a project level. Tokens should be associated with the corresponding user account limiting permission to the platform based upon the user's access.
Note
Make sure that service account doesn't have Jira Admin privileges. In addition to having a security risk, it also has an extra performance overhead due to processing removeDismissFlagForUser.
Workaround
Try to avoid Basic authentication for each REST API call, instead try to use cookie-based authentication
This is how cookie-based authentication works in Jira at a high level:
- The client creates a new session for the user via the Jira REST API.
- Jira returns a session object that has information about the session including the session cookie. The client stores this session object.
- The client can now set the cookie in the header for all subsequent requests to the Jira REST API.
More details: https://developer.atlassian.com/server/jira/platform/cookie-based-authentication/
Attachments
Issue Links
- is related to
-
- Closed
- relates to
-
JRASERVER-70519 Performance degradation due to contention in CachingOfBizPropertyEntryStore cache
-
- Closed
-
-
-
- Gathering Impact
-
-
- Closed
-
- Closed
-
LOGIN-4 Loading...
-
-
-
- causes
-
- Mentioned in
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-