9574513ec1
Analysis of customer stalls showed that the `detail::hash_with_salt` function, called from `passwords::check`, often blocks the reactor. This function internally uses the `crypt_r` function from an external library to compute password hashes, which is a CPU-intensive operation. To prevent such reactor stalls, this commit moves the `passwords::check` call to a dedicated alien thread. This thread is created at system startup and is shared by all shards. Within the alien thread, an `std::mutex` synchronizes access between the thread and the shards. While this could theoretically cause frequent lock contentions, in practice, even during connection storms, the number of new connections per second per shard is limited (typically hundreds per second). Additionally, the `_conns_cpu_concurrency_semaphore` in `generic_server` ensures that not too many connections are processed at once. Fixes scylladb/scylladb#24524
94 lines
2.4 KiB
C++
94 lines
2.4 KiB
C++
/*
|
|
* Copyright (C) 2017-present ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <stdexcept>
|
|
|
|
#include "auth/authenticated_user.hh"
|
|
#include "auth/authenticator.hh"
|
|
#include "auth/common.hh"
|
|
#include "utils/alien_worker.hh"
|
|
|
|
namespace cql3 {
|
|
class query_processor;
|
|
}
|
|
|
|
namespace service {
|
|
class migration_manager;
|
|
}
|
|
|
|
namespace auth {
|
|
|
|
extern const std::string_view allow_all_authenticator_name;
|
|
|
|
class allow_all_authenticator final : public authenticator {
|
|
public:
|
|
allow_all_authenticator(cql3::query_processor&, ::service::raft_group0_client&, ::service::migration_manager&, utils::alien_worker&) {
|
|
}
|
|
|
|
virtual future<> start() override {
|
|
return make_ready_future<>();
|
|
}
|
|
|
|
virtual future<> stop() override {
|
|
return make_ready_future<>();
|
|
}
|
|
|
|
virtual std::string_view qualified_java_name() const override {
|
|
return allow_all_authenticator_name;
|
|
}
|
|
|
|
virtual bool require_authentication() const override {
|
|
return false;
|
|
}
|
|
|
|
virtual authentication_option_set supported_options() const override {
|
|
return authentication_option_set();
|
|
}
|
|
|
|
virtual authentication_option_set alterable_options() const override {
|
|
return authentication_option_set();
|
|
}
|
|
|
|
future<authenticated_user> authenticate(const credentials_map& credentials) const override {
|
|
return make_ready_future<authenticated_user>(anonymous_user());
|
|
}
|
|
|
|
virtual future<> create(std::string_view, const authentication_options& options, ::service::group0_batch&) override {
|
|
return make_ready_future();
|
|
}
|
|
|
|
virtual future<> alter(std::string_view, const authentication_options& options, ::service::group0_batch&) override {
|
|
return make_ready_future();
|
|
}
|
|
|
|
virtual future<> drop(std::string_view, ::service::group0_batch&) override {
|
|
return make_ready_future();
|
|
}
|
|
|
|
virtual future<custom_options> query_custom_options(std::string_view role_name) const override {
|
|
return make_ready_future<custom_options>();
|
|
}
|
|
|
|
virtual const resource_set& protected_resources() const override {
|
|
static const resource_set resources;
|
|
return resources;
|
|
}
|
|
|
|
virtual ::shared_ptr<sasl_challenge> new_sasl_challenge() const override {
|
|
throw std::runtime_error("Should not reach");
|
|
}
|
|
|
|
virtual future<> ensure_superuser_is_created() const override {
|
|
return make_ready_future<>();
|
|
}
|
|
};
|
|
|
|
}
|