RPCSEC init requests are kept in the rsi cache. While this is useful
during request processing involving upcall/downcall with userspace,
rsi entries are never used again once RPCSEC init requests have been
handled completely.
And keeping entries in the rsi cache has some impact on authentication
speed. When a new RPCSEC init request is received, the first step is
to check if there is a valid matching entry in the cache. It is never
the case, except if an authentication request is replayed, but GSS
rejects that anyway.
So we spend time browsing a cache from which we expect no match. Even
if the upcall cache mechanism takes this lookup opportunity to remove
invalid or expired entries, it is even better to remove cache entries
as soon as we know they are done.
Lustre-change: https://review.whamcloud.com/53488
Lustre-commit:
7a56a689d4aa588bd003e35fdb93d87cf1e56d1d
Test-Parameters: kerberos=true testlist=sanity-krb5
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ia9946578c3d3149e6235d832df28214ae8984f1e
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/53610
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
rc = SECSVC_OK;
out:
- if (!IS_ERR_OR_NULL(rsip))
+ if (!IS_ERR_OR_NULL(rsip)) {
+ /* After rpcsec init request has been handled,
+ * no need to keep rsi entry in cache, no matter the result.
+ * So mark it invalid now.
+ */
+ UC_CACHE_SET_INVALID(rsip->si_uc_entry);
rsi_entry_put(rsicache, rsip);
+ }
if (!IS_ERR_OR_NULL(rscp)) {
/* if anything went wrong, we don't keep the context too */
if (rc != SECSVC_OK)
rsicache = upcall_cache_init(RSI_CACHE_NAME, RSI_UPCALL_PATH,
UC_RSICACHE_HASH_SIZE,
- 3600, /* entry expire: 1 h */
+ 600, /* entry expire: 10 mn */
30, /* acquire expire: 30 s */
false, /* can't replay acquire */
&rsi_upcall_cache_ops);
git://git.whamcloud.com / fs / lustre-release.git / commitdiff