Skip to content

fix: cpu contention when reading JWKs and suppress generating duplicate JWKs #3883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix: cpu contention when reading JWKs and suppress generating duplicate JWKs #3883

wants to merge 5 commits into from

Conversation

terev
Copy link
Contributor

@terev terev commented Nov 10, 2024
edited
Loading

Previously each concurrent caller would need to lock a shared mutex when reading or writing a given JWK set. The read path now doesn't require locking a mutex at all and instead returns valid query results directly. The write path is now protected by a concurrency control mechanism (using x/sync/singleflight) to ensure only one JWK set is generated and persisted.

Note: Duplicate JWK sets may still be improperly generated if running more than one Hydra instance in a high traffic environment.

Related issue(s)

Fixes #3863

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

This fixes a bug #3876 with the previous attempt to fix this issue .

@terev terev force-pushed the suppress-duplicate-jwk-gen branch 2 times, most recently from 7aa20e9 to 9f23fee Compare November 11, 2024 00:04
@terev terev marked this pull request as ready for review November 11, 2024 00:36
@terev terev requested review from aeneasr, hperl and alnr as code owners November 11, 2024 00:36
@terev
fix: cpu contention when reading JWKs and suppress generating duplica…
4b29aaf 
…te JWKs

Previously each concurrent caller would need to lock a shared mutex when reading or writing a given JWK set.
The read path now doesn't require locking a mutex at all and instead returns valid query results directly.
The write path is now protected by a concurrency control mechanism (using x/sync/singleflight) to ensure only one JWK set is generated and persisted.
Note: Duplicate JWK sets may still be improperly generated if running more than one Hydra instance in a high traffic environment.
@terev terev force-pushed the suppress-duplicate-jwk-gen branch from 9f23fee to 4b29aaf Compare November 19, 2024 07:44
@terev terev requested a review from a team as a code owner January 31, 2025 19:12
@aeneasr
Copy link
Member

aeneasr commented Mar 20, 2025

What would be the correct way to verify that this change is indeed behaving as expected? I assume we need some type of race test that calls the helper function multiple times and it has to give one expected result?

I think it would be good to have a test for this, as otherwise it's unclear if this fix works or breaks like the last time we merged a fix for this!

Thank you :)

@terev
Copy link
Contributor Author

terev commented Mar 20, 2025
edited
Loading

@aeneasr Yeah that's a good idea.

I think a good test would be to invoke the function with parallel calls that include a change to every argument that should cause unique results. Then ensure that each parallel caller gets a different result.

I can give this a shot if you think that sounds reasonable.

@aeneasr
Copy link
Member

aeneasr commented Mar 21, 2025
edited
Loading

@aeneasr Yeah that's a good idea.

I think a good test would be to invoke the function with parallel calls that include a change to every argument that should cause unique results. Then ensure that each parallel caller gets a different result.

I can give this a shot if you think that sounds reasonable.

Nice! So I think a test set up like this would work:

  1. Prepare a list of expected keys to be generated (more than 5)
  2. For each key execute the operation (more than 5)
  3. Now you have 5x5 combinations, run all of them at the same time in an errgroup
  4. No race conditions expected, and 5 unique values at the end

@aeneasr
Copy link
Member

aeneasr commented Mar 21, 2025

The numbers probably depend, it maybe enough to generate 2 unique keys and call it 25 times instead. I think the big challenge here is making sure that a lot of requests on this function do not cause problems.

I'm not sure if we depend on database magic for locking, if we do, you may need to run this against a real database because SQLite does not support concurrent writes iirc

@aeneasr
Copy link
Member

aeneasr commented Apr 1, 2025

Would you still be open for the change?

@terev
Copy link
Contributor Author

terev commented Apr 2, 2025

Yeah I mean to take a look, probably next weekend if possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lamcodeofpwnosec lamcodeofpwnosec lamcodeofpwnosec approved these changes

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

@hperl hperl Awaiting requested review from hperl

@alnr alnr Awaiting requested review from alnr

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

GetOrGenerateKeys locking leads to significant service degredation with high request saturation
3 participants
@terev @aeneasr @lamcodeofpwnosec