LU-17374 gss: get rid of rsi cache entries after req handle

RPCSEC init requests are kept in the rsi cache. While this is useful
during request processing involving upcall/downcall with userspace,
rsi entries are never used again once RPCSEC init requests have been
handled completely.
And keeping entries in the rsi cache has some impact on authentication
speed. When a new RPCSEC init request is received, the first step is
to check if there is a valid matching entry in the cache. It is never
the case, except if an authentication request is replayed, but GSS
rejects that anyway.
So we spend time browsing a cache from which we expect no match. Even
if the upcall cache mechanism takes this lookup opportunity to remove
invalid or expired entries, it is even better to remove cache entries
as soon as we know they are done.

Test-Parameters: kerberos=true testlist=sanity-krb5
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ia9946578c3d3149e6235d832df28214ae8984f1e
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/53488
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>

diff --git a/lustre/ptlrpc/gss/gss_svc_upcall.c b/lustre/ptlrpc/gss/gss_svc_upcall.c
index 063a5c2..4074f22 100644 (file)
--- a/lustre/ptlrpc/gss/gss_svc_upcall.c
+++ b/lustre/ptlrpc/gss/gss_svc_upcall.c
@@ -931,8 +931,14 @@ int gss_svc_upcall_handle_init(struct ptlrpc_request *req,
        rc = SECSVC_OK;
 
 out:
-       if (!IS_ERR_OR_NULL(rsip))
+       if (!IS_ERR_OR_NULL(rsip)) {
+               /* After rpcsec init request has been handled,
+                * no need to keep rsi entry in cache, no matter the result.
+                * So mark it invalid now.
+                */
+               UC_CACHE_SET_INVALID(rsip->si_uc_entry);
                rsi_entry_put(rsicache, rsip);
+       }
        if (!IS_ERR_OR_NULL(rscp)) {
                /* if anything went wrong, we don't keep the context too */
                if (rc != SECSVC_OK)
@@ -1040,7 +1046,7 @@ int __init gss_init_svc_upcall(void)
 
        rsicache = upcall_cache_init(RSI_CACHE_NAME, RSI_UPCALL_PATH,
                                     UC_RSICACHE_HASH_SIZE,
-                                    3600, /* entry expire: 1 h */
+                                    600, /* entry expire: 10 mn */
                                     30, /* acquire expire: 30 s */
                                     false, /* can't replay acquire */
                                     &rsi_upcall_cache_ops);