nginx manages the SVN auth by doing an additional auth request [0]. This auth request is then handled by the PHP codebase. The existing "maximum credentials" SVN cache parameter is not taken into account anymore: it would require for us to dynamically generate nginx configuration files. Also the cache is managed with less layers so we do not have this "maximum credentials" anymore. The cache keys is a combination of the credential set and the project. nginx has been configured to store about 16000 cache entries which should be enough even for large Tuleap instances. The "maximum credentials" setting will be hidden in the site administration in another contribution. A feature flag is introduced to be able to downgrade to mod_perl Tuleap.pm based auth. Switching the feature flag on will immediately enable it on the PHP side so you will be left without auth until the SVNRoot Apache config file is re-generated. To avoid that the following procedure should be used when downgrading: 1. Stop nginx: `systemcl stop nginx` 2. Refresh SVNRoot config file: `/usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/src/utils/svn/force_refresh_codendi_svnroot.php` 3. Check the content of the SVNRoot config file to be sure it will manage the auth 4. Start nginx again: `systemctl start nginx` To test this contribution, do not forget to re-deploy nginx configuration files. You might also want to force the re-generation of the SVNRoot config to not have a double auth during your tests. This double auth is not really an issue for production deployment, the SVNRoot file will be re-generated at some point (so only the nginx/PHP based auth will be kept) and the cache layers will make it good enough until that is the case. A benchmark simulating one client authenticating with a password (which is the worst case) doing heavy SVN operations on one repo shows an improvement: 1478 req/s for the new approach vs 474 req/s for the existing one. This can be explained by the fact the nginx cache has less work to do to find a match. If you want to reproduce the benchmark you can use the following k6 [1] script: ```js import http from 'k6/http'; import { check } from 'k6'; const username = 'user1'; const password = 'some_password'; const project_name = 'project1'; const repo_name = 'aaaaaaaa'; export const options = { insecureSkipTLSVerify: true, vus: 1, iterations: 20000 }; export default function () { const credentials = `${username}:${password}`; const url = `https://${credentials}@tuleap-web.tuleap-aio-dev.docker/svnplugin/${project_name}/${repo_name}/`; let res = http.get(url); check(res, { 'status is 200': (r) => r.status === 200, }); } ``` Part of request #26407: De-duplicate authz/authn code used for SVN accesses [0] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html [1] https://k6.io/ Change-Id: I19b0c93838f47b86fb808e48c5137cd4ddac0229

+274 −78

Author

Thomas Gerbet (tgerbet) 2022-07-04 14:28

Committer

Thomas Gerbet (tgerbet) 2022-07-12 09:32

Hash d6dc6a2c3322a8055054919fbebfae8bf3a261e7

Parent 381838c40e529d2958a58a6ee8e9c167bb59b0e8

Reference git #tuleap/stable/d6dc6a2c3322a8055054919fbebfae8bf3a261e7