Bug #21423
Updated by Peter Amstutz 3 months ago
I logged into tordo to look at some logs. I expected it to be fairly quiet since it wasn't currently being used for anything, but was very surprised to see a huge number of requests to access the users/current endpoint, some of which were failing.
At first I was a little bit concerned that this was some kind of security probe attack, but on further investigation, it seems that all the requests were coming from the shell node.
The jutro/pirca/tordo federation has 100s of users (due to playground signups). Everyone automatically gets a shell account, and arvados-login-sync automatically runs every 2 (?) minutes.
I believe this constant stream of requests is just checking tokens (and refreshing the expired ones).
This creates a certain amount of noise in the logs that isn't great. It would be better if either:
* token rotation runs less frequently, so on the 2 minute cycle it only looks to create tokens for users that don't have a token
* we record the token expiration time only try to refresh tokens that are approaching the expiration time
** one way to do that would be to add "ARVADOS_API_TOKEN_EXPIRATION=" field to the settings.conf file. login-sync could set and check this field to decide when to refresh tokens.