Github user rhtyd commented on the pull request:
https://github.com/apache/cloudstack/pull/1489#issuecomment-214212648
@koushik-das this is part of the feature to be able to check access based
on rules in DB and be consistent across all mgmt servers. In my local
environment with stock (un-optimized) mysql server, I can do a max of 12.8k
req/s benchmarked against wrk
```
$ wrk -t16 -c1000 -d30s
"http://localhost:8080/client/api?command=listUsers";
[14:08:08]
Running 30s test @ http://localhost:8080/client/api?command=listUsers
16 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 78.35ms 64.44ms 1.52s 93.98%
Req/Sec 810.93 171.75 1.98k 77.53%
387964 requests in 30.09s, 147.26MB read
Socket errors: connect 0, read 0, write 0, timeout 2
Non-2xx or 3xx responses: 387964
Requests/sec: 12893.98
Transfer/sec: 4.89MB
```
And with another query, where dynamic checker is forced to fail doing all
sorts of db queries, it resulted about 700 req/s.
```
$ wrk -t16 -c1000 -d30s
"http://localhost:8096/client/api?signatureversion=3&apiKey=&expires=2016-04-25T08%3A50%3A19%2B0000&command=listUsers&signature=fmgUHUhRdCYf%2BoPHgcTVqzx0am4%3D&response=json&listall=true";
Running 30s test @
http://localhost:8096/client/api?signatureversion=3&apiKey=&expires=2016-04-25T08%3A50%3A19%2B0000&command=listUsers&signature=fmgUHUhRdCYf%2BoPHgcTVqzx0am4%3D&response=json&listall=true
16 threads and 1000 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 1.32s 197.24ms 1.79s 90.25%
Req/Sec 72.78 91.71 570.00 89.25%
21252 requests in 30.09s, 31.43MB read
Socket errors: connect 0, read 0, write 0, timeout 18
Requests/sec: 706.17
Transfer/sec: 1.04MB
```
@koushik-das we've db schema for consistency, we read data from
commands.properties and write them to a db table. We've a test_staticroles.py
too, that can do pre-upgrade integration testing and post-upgrade we've
test_dynamicroles.py. Lastly, it is intended to make reverse-migration
difficult to avoid inconsistent and unknown security behavior, read FS for
details. If you simply turn off the restricted global setting (from true to
false), it will disable both dynamic and static checker. One constraint for
this to enable is that a flag in db is enabled and commands.properties file
does not exist or readable from its classpath. Also, since commands.properties
is removed even if you switch the flags you'll need to create this file, put in
client/tomcatconf (as developer) and restart mgmt server as unlike
dynamic-checker, the static checker initializes only at boot time and not
runtime.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
