Bug 6891 - Allow configurable CRL reload interval
: Allow configurable CRL reload interval
Status: NEW
: CoG jglobus
security
: 1.7.0
: PC All
: P3 normal
: 1.8
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2009-11-16 09:46 by
Modified: 2009-11-18 09:33 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2009-11-16 09:46:06
From Gerd Behrmann:

I did some tests on my own this week to see how far I could push our new SRM
server. During those tests I ran into a scalability issue in how JGlobus
handles CRLs. JGlobus caches CRLs in memory, however for each session it
verifies whether the CRLs in memory are current by checking the modification
time of the CRLs on disk. As the memory representation is shared by all
sessions, this check is done while holding a global lock. This lock is a
contention point and prevents the library from scaling to multiple cores. In my
tests, I was unable to push CPU utilization beyond 20% on our 8 core machine.

I have attached a simple patch to improve the CRL caching. It introduces the
new property org.globus.jglobus.crl.cache.lifetime, which specifies a minimum
distance between checking whether the CRLs have checking. When set to zero, the
old logic is preserved.

In my tests, I was able to perform delegation at 140 Hz without this patch, but
at 295 Hz after applying the patch and setting
org.globus.jglobus.crl.cache.lifetime to 60 seconds.

I would appreciate if you would have a look at the patch and consider it for
inclusion in JGlobus.


--- /tmp/jglobus/src/org/globus/gsi/CertificateRevocationLists.java   
2008-02-27 06:34:31.000000000 +0100
+++ jglobus/src/org/globus/gsi/CertificateRevocationLists.java    2009-11-09
22:39:42.940947758 +0100
@@ -225,8 +225,21 @@
    private static class DefaultCertificateRevocationLists 
        extends CertificateRevocationLists {

-        public void refresh() {
+        private final long lifetime;
+        private long lastRefresh;
+
+        public DefaultCertificateRevocationLists()
+        {
+            lifetime =
+                CoGProperties.getDefault().getDelegationKeyCacheLifetime();
+        }
+
+        public synchronized void refresh() {
+            long now = System.currentTimeMillis();
+            if (lastRefresh + lifetime <= now) {
-            reload(getDefaultCRLLocations());
+                reload(getDefaultCRLLocations());
+                lastRefresh = now;
+            }
        }

        private static synchronized String getDefaultCRLLocations() {
--- /tmp/jglobus/src/org/globus/common/CoGProperties.java    2009-06-29
18:54:05.000000000 +0200
+++ jglobus/src/org/globus/common/CoGProperties.java    2009-11-09
22:42:01.657004409 +0100
@@ -60,6 +60,9 @@
    public static final String DELEGATION_KEY_CACHE_LIFETIME =
        "org.globus.jglobus.delegation.cache.lifetime";

+    public static final String CRL_CACHE_LIFETIME =
+        "org.globus.jglobus.crl.cache.lifetime";
+
    public static final String MDSHOST = "localhost";
    public static final String MDSPORT = "2135";
    public static final String BASEDN  = "Mds-Vo-name=local, o=Grid";
@@ -507,7 +510,7 @@
    /**
     * Returns the delegation key cache lifetime for all delegations from this
     * JVM. If this property is not set or set to zero or less, no caching is
done. The
-     * value is the number of seconds the key/pair is cached.
+     * value is the number of milliseconds the key/pair is cached.
     * @return
     */
    public int getDelegationKeyCacheLifetime() {
@@ -535,6 +538,41 @@
        return valueInt;
    }

+    /**
+     * Returns the CRL cache lifetime. If this property is not set or
+     * set to zero or less, no caching is done. The value is the
+     * number of milliseconds the CRLs are cached without checking for
+     * modifications on disk.
+     *
+     * @throws NumberFormatException if the cache lifetime property
+     *         could not be parsed
+     * @return the CRL cache lifetime in milliseconds
+     */
+    public long getCRLCacheLifetime()
+        throws NumberFormatException {
+
+        long value = 0;
+
+        String property = getProperty(CRL_CACHE_LIFETIME);
+        if (property != null && property.length() > 0) {
+            long parsedValue  = Long.parseLong(property);
+            if (parsedValue > 0) {
+                value = parsedValue;
+            }
+        }
+
+        // System property takes precedence
+        property = System.getProperty(CRL_CACHE_LIFETIME);
+        if (property != null && property.length() > 0) {
+            long parsedValue = Long.parseLong(property);
+            if (parsedValue > 0) {
+                value = parsedValue;
+            }
+        }
+
+        return value;
+    }
+
    public String getSecureRandomProvider() {
    String value = System.getProperty("org.globus.random.provider");
    if (value != null) {
------- Comment #1 From 2009-11-16 09:46:42 -------
Patch provided had incorrect reload interval. Fixed patch and provided to Gerd
for testing.
------- Comment #2 From 2009-11-18 09:33:09 -------
Committed to CoG JGlobus trunk.