Make identities less unique to improve performance #88
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Dustin Decker [email protected]
Overview
This change removes instance display names and metadata from GCP auth login responses. This increase performance at the expense of tracability.
When an alias is unique, Vault has to read a StoragePacker bucket, decompress it, unmarshal the protobuf, modify it, marshal it back to a protobuf, compress it, and write the bucket back. During any StoragePacker operation, a lock is put on that key which means that only one operation on the bucket can happen at any time. These operations are very expensive and get more expensive as the entity count grows.
Our entity count from the GCP auth backend is around 5 million currently, so each login results in processing ~22,300 entities in one of the StoragePacker buckets with an exclusive storage lock on that bucket. This results Vault failing if more than ~10 GCP authentications are being performed at a given time. We need to be able to do thousands per minute.
Related Issues/Pull Requests
hashicorp/vault#8761
Contributor Checklist
[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR Link
Example
[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[ ] Backwards compatible