Authentication slow

Authentication is slow due do slow initialization of /var/lib/one/remotes/auth/ldap/authenticate. It takes >700ms to process all the require statements in the included libs. Once the process is started, the authentication is performed fast (LDAP, AD).

Because /var/lib/one/remotes/auth/ldap/authenticate is forked by /usr/lib/one/mads/one_auth_mad.rb for each authentication requests, users are waiting 700ms whenever they authenticate before anything useful actually starts happening.

The problem is made worse by some glitch i the login form. After entering credentials, if the user presses the Enter key for a longer time, the login form is submitted multiple times. It is usual for some users to send tens of requests. Tens of authentication requests freeze Nebula completely and the user and other users will start receiving 502 responses from Sunstone. I believe the login form or its submit button need to be disabled the first thing in the JavaScript function which handles the authentication.

So there are actually two issues:

  • slow start of var/lib/one/remotes/auth/ldap/authenticate
  • multiple submits of the login form are possible.

Software version:

Ubuntu Server 20.4

Issue number 1 - multiple submits of the login form:

Steps to reproduce:

  1. Go to login page in a browser
  2. Enter credentials
  3. Press Enter and keep it pressed for a few seconds

Current results:
Several POST requests are sent by the browser to Sunstone.

Expected results:
Only one request is sent. E.g. form is disabled as soon as the user submits the form. Form will need to be re-enabled if authentication fails or possibly for MFA.

Issue number 2 - very slow start of /var/lib/one/remotes/auth/ldap/authenticate

Steps to reproduce:

  1. Full authentication exactly as forked by /usr/lib/one/mads/one_auth_mad.rb, providing valid input to stdin:
echo -en "<AUTHN>\n  <USERNAME>username</USERNAME>\n  <PASSWORD>dummy</PASSWORD>\n  <SECRET>ldappassword</SECRET>\n</AUTHN>" | ruby /var/lib/one/remotes/auth/ldap/authenticate
  1. Simply start it without providing any imput: time bash -c “echo | /var/lib/one/remotes/auth/ldap/authenticate &>/dev/null”

  2. Strace will hint that it attempts to open a ton of files. A detailed look revealed vast majority of them are various ruby libraries. Even if valid input is provided to stdin, the outcome looks the same.

echo | strace -c /var/lib/one/remotes/auth/ldap/authenticate 
Invalid XML input
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 51.75    0.084790           3     24554     23248 stat
 29.07    0.047640           3     13020       737 lstat

Expected results:
Initialization of the /var/lib/one/remotes/auth/ldap/authenticate should be much faster. Load less libs if possible?
Or prefork a pool of /var/lib/one/remotes/auth/ldap/authenticate to have them immediately ready when authentication requests come.

For the latency of the auth driver, I pushed some simple low-hanging-fruit improvement

This should be included in the next release but you can probably apply the patch manually.

Anyway, could you please open an issue for both problems separately here ?


Thanks. I’ll give it a spin.
Meanwhile I have implemented the pre-forking idea and it sped up the authentication to ~50ms from >700ms. The implementation is somewhat ugly. It is just an interposer bash script which is called by the authenticate mad, manages the pool and sends data back an forth through named pipes.