remove unnecessary LRU for internode auth token (#20119)

removes contentious usage of mutexes in LRU, which
were never really reused in any manner; we do not
need it.

To trust hosts, the correct way is TLS certs; this PR completely
removes this dependency, which has never been useful.

```
0  0%  100%  25.83s 26.76%  github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...])
0  0%  100%  28.03s 29.04%  github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...])
```

Bonus: use `x-minio-time` as a nanosecond to avoid unnecessary
parsing logic of time strings instead of using a more
straightforward mechanism.
This commit is contained in:
Harshavardhana
2024-07-22 00:04:48 -07:00
committed by GitHub
parent 3ef59d2821
commit 8e618d45fc
17 changed files with 58 additions and 475 deletions
+5 -5
View File
@@ -169,13 +169,13 @@ func dummyRequestValidate(r *http.Request) error {
return nil
}
func dummyTokenValidate(token, audience string) error {
if token == audience {
func dummyTokenValidate(token string) error {
if token == "debug" {
return nil
}
return fmt.Errorf("invalid token. want %s, got %s", audience, token)
return fmt.Errorf("invalid token. want empty, got %s", token)
}
func dummyNewToken(audience string) string {
return audience
func dummyNewToken() string {
return "debug"
}
+4 -3
View File
@@ -26,6 +26,7 @@ import (
"io"
"net"
"net/http"
"strconv"
"strings"
"sync"
"time"
@@ -208,8 +209,8 @@ func ConnectWS(dial ContextDialer, auth AuthFn, tls *tls.Config) func(ctx contex
dialer.NetDial = dial
}
header := make(http.Header, 2)
header.Set("Authorization", "Bearer "+auth(""))
header.Set("X-Minio-Time", time.Now().UTC().Format(time.RFC3339))
header.Set("Authorization", "Bearer "+auth())
header.Set("X-Minio-Time", strconv.FormatInt(time.Now().UnixNano(), 10))
if len(header) > 0 {
dialer.Header = ws.HandshakeHeaderHTTP(header)
@@ -225,4 +226,4 @@ func ConnectWS(dial ContextDialer, auth AuthFn, tls *tls.Config) func(ctx contex
}
// ValidateTokenFn must validate the token and return an error if it is invalid.
type ValidateTokenFn func(token, audience string) error
type ValidateTokenFn func(token string) error
+3 -3
View File
@@ -245,7 +245,7 @@ func (m *Manager) IncomingConn(ctx context.Context, conn net.Conn) {
writeErr(fmt.Errorf("time difference too large between servers: %v", time.Since(cReq.Time).Abs()))
return
}
if err := m.authToken(cReq.Token, cReq.audience()); err != nil {
if err := m.authToken(cReq.Token); err != nil {
writeErr(fmt.Errorf("auth token: %w", err))
return
}
@@ -257,10 +257,10 @@ func (m *Manager) IncomingConn(ctx context.Context, conn net.Conn) {
}
// AuthFn should provide an authentication string for the given aud.
type AuthFn func(aud string) string
type AuthFn func() string
// ValidateAuthFn should check authentication for the given aud.
type ValidateAuthFn func(auth, aud string) string
type ValidateAuthFn func(auth string) string
// Connection will return the connection for the specified host.
// If the host does not exist nil will be returned.
+1 -6
View File
@@ -262,14 +262,9 @@ type connectReq struct {
Token string
}
// audience returns the audience for the connect call.
func (c *connectReq) audience() string {
return fmt.Sprintf("%s-%d", c.Host, c.Time.Unix())
}
// addToken will add the token to the connect request.
func (c *connectReq) addToken(fn AuthFn) {
c.Token = fn(c.audience())
c.Token = fn()
}
func (connectReq) Op() Op {