Authentication is slow due do slow initialization of /var/lib/one/remotes/auth/ldap/authenticate. It takes >700ms to process all the require statements in the included libs. Once the process is started, the authentication is performed fast (LDAP, AD).
Because /var/lib/one/remotes/auth/ldap/authenticate is forked by /usr/lib/one/mads/one_auth_mad.rb for each authentication requests, users are waiting 700ms whenever they authenticate before anything useful actually starts happening.
The problem is made worse by some glitch i the login form. After entering credentials, if the user presses the Enter key for a longer time, the login form is submitted multiple times. It is usual for some users to send tens of requests. Tens of authentication requests freeze Nebula completely and the user and other users will start receiving 502 responses from Sunstone. I believe the login form or its submit button need to be disabled the first thing in the JavaScript function which handles the authentication.
So there are actually two issues:
- slow start of var/lib/one/remotes/auth/ldap/authenticate
- multiple submits of the login form are possible.
Software version:
ONE 6.0.0.2
Ubuntu Server 20.4
Issue number 1 - multiple submits of the login form:
Steps to reproduce:
- Go to login page in a browser
- Enter credentials
- Press Enter and keep it pressed for a few seconds
Current results:
Several POST requests are sent by the browser to Sunstone.
Expected results:
Only one request is sent. E.g. form is disabled as soon as the user submits the form. Form will need to be re-enabled if authentication fails or possibly for MFA.
Issue number 2 - very slow start of /var/lib/one/remotes/auth/ldap/authenticate
Steps to reproduce:
- Full authentication exactly as forked by /usr/lib/one/mads/one_auth_mad.rb, providing valid input to stdin:
echo -en "<AUTHN>\n <USERNAME>username</USERNAME>\n <PASSWORD>dummy</PASSWORD>\n <SECRET>ldappassword</SECRET>\n</AUTHN>" | ruby /var/lib/one/remotes/auth/ldap/authenticate
-
Simply start it without providing any imput: time bash -c “echo | /var/lib/one/remotes/auth/ldap/authenticate &>/dev/null”
-
Strace will hint that it attempts to open a ton of files. A detailed look revealed vast majority of them are various ruby libraries. Even if valid input is provided to stdin, the outcome looks the same.
echo | strace -c /var/lib/one/remotes/auth/ldap/authenticate
Invalid XML input
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
51.75 0.084790 3 24554 23248 stat
29.07 0.047640 3 13020 737 lstat
Expected results:
Initialization of the /var/lib/one/remotes/auth/ldap/authenticate should be much faster. Load less libs if possible?
Or prefork a pool of /var/lib/one/remotes/auth/ldap/authenticate to have them immediately ready when authentication requests come.