Project

General

Profile

Bug #21423

Updated by Peter Amstutz 11 months ago

I logged into tordo to look at some logs.    I expected it to be fairly quiet since it wasn't currently being used for anything, but was very surprised to see a huge number of requests to access the users/current endpoint, some of which were failing. 

 At first I was a little bit concerned that this was some kind of security probe attack, but on further investigation, it seems that all the requests were coming from the shell node. 

 The jutro/pirca/tordo federation has 100s of users (due to playground signups).    Everyone automatically gets a shell account, and arvados-login-sync automatically runs every 2 (?) minutes. 

 I believe this constant stream of requests is just checking tokens (and refreshing the expired ones). 

 This creates a certain amount of noise in the logs that isn't great.    It would be better if either: 

 * token rotation runs less frequently, so on the 2 minute cycle it only looks to create tokens for users that don't have a token 
 * we record the token expiration time only try to refresh tokens that are approaching the expiration time 
 ** one way to do that would be to add "ARVADOS_API_TOKEN_EXPIRATION=" field to the settings.conf file.    login-sync could set and check this field to decide when to refresh tokens. 

Back