Reduce Authentication Requests to Keycloak #281
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vbrik
approved these changes
Jul 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@vbrik reached out on Slack because LTA was making a lot of requests to the Keycloak service.
Some of this is unavoidable; there are 10 components in a transfer pipeline, and all of them need to talk to the LTA REST service in order to coordinate their work.
Also, at peak times (retro disk processing) there can be 16-32 instances of some components like bundler and gridftp_replicator.
NERSC's slurm based job system is not great for long-lived components, so depending on how aggressively these components at scheduled at NERSC, they will start up frequently and authenticate with keycloak every time.
However, there are some improvements that can be made to the code. Instead of authenticating with keycloak at every work cycle, the RestClient can be created when the component is started, and the client can re-use its existing token, and only refresh it when necessary.
This PR introduces the code changes needed to create the RestClient early and provide it to the component to enable re-use.
A similar issue may affect the RestClient the component uses to access the File Catalog. Fortunately, these requests to authenticate with Keycloak should only happen when actual work is being performed. If these are also very noisy, we may consider earlier creation of this resource as well.