Project

General

Profile

Actions

Bug #21423

open

arvados-login-sync activity with many users

Added by Peter Amstutz 10 months ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Deployment
Target version:
Story points:
-

Description

I logged into tordo to look at some logs. I expected it to be fairly quiet since it wasn't currently being used for anything, but was very surprised to see a huge number of requests to access the users/current endpoint, some of which were failing.

At first I was a little bit concerned that this was some kind of security probe attack, but on further investigation, it seems that all the requests were coming from the shell node.

The jutro/pirca/tordo federation has 100s of users (due to playground signups). Everyone automatically gets a shell account, and arvados-login-sync automatically runs every 2 (?) minutes.

I believe this constant stream of requests is just checking tokens (and refreshing the expired ones).

This creates a certain amount of noise in the logs that isn't great. It would be better if either:

  • token rotation runs less frequently, so on the 2 minute cycle it only looks to create tokens for users that don't have a token
  • we record the token expiration time only try to refresh tokens that are approaching the expiration time
    • one way to do that would be to add "ARVADOS_API_TOKEN_EXPIRATION=" field to the settings.conf file. login-sync could set and check this field to decide when to refresh tokens.
Actions

Also available in: Atom PDF