CBG-2894: Reject user auth when channel threshold is over 500 #6214
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
torcolvin
reviewed
May 2, 2023
auth/auth.go
Outdated
| // only warn/limit if the threshold is set and if we are in this function as a "user" not a role | ||
| if auth.ServerlessChannelThreshold != 0 && princUser != nil { | ||
| // Warning at 50 channels | ||
| princUser.GetWarnChanSync().Do(func() { |
There was a problem hiding this comment.
This is going to not work as intended, since this only works the version first time this code is run, I'd write a test where it is over threshold the first time and then under threshold the second time, and it should only warn once.
What happens if it high (warning), then low, then high again (error)?
There was a problem hiding this comment.
I took this apporach as elsewhere we do this warning using the sync once. I don't think you can reset the sync.Once so I either keep as is to follow what is done elsewhere in the code or I remove it (but could end up with a lot of warnings in logs as result)
torcolvin
reviewed
May 5, 2023
torcolvin
approved these changes
May 5, 2023
bbrks
pushed a commit
that referenced
this pull request
Mar 28, 2024
* CBG-2894: Reject user auth when channel threshold is over 500 in serverless mode * fix panic where authetciator was needed and it wasn't availible * linter issue * linter issue again * remove extra methods off interface * pass user into function * rebase * ensure 500 code is retruned for http error added * updates based off comments * fix panic * updates based off comments * updates based off dicussion yesterday * lint error * updates based of comments
bbrks
pushed a commit
that referenced
this pull request
Apr 3, 2024
* CBG-2894: Reject user auth when channel threshold is over 500 in serverless mode * fix panic where authetciator was needed and it wasn't availible * linter issue * linter issue again * remove extra methods off interface * pass user into function * rebase * ensure 500 code is retruned for http error added * updates based off comments * fix panic * updates based off comments * updates based off dicussion yesterday * lint error * updates based of comments
mohammed-madi
pushed a commit
that referenced
this pull request
Apr 8, 2024
* CBG-2894: Reject user auth when channel threshold is over 500 in serverless mode * fix panic where authetciator was needed and it wasn't availible * linter issue * linter issue again * remove extra methods off interface * pass user into function * rebase * ensure 500 code is retruned for http error added * updates based off comments * fix panic * updates based off comments * updates based off dicussion yesterday * lint error * updates based of comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CBG-2894
When channels set on a user have changed we need to be able to see how many channels this user has to warn if over warning threshold and to reject any future authorization requests for the user if they have exceeded the channel limit on the user. This code will only be called if a change in channel set has been detected removing the need for this check to be performed each time a user authenticates.
Pre-review checklist
fmt.Print,log.Print, ...)base.UD(docID),base.MD(dbName))docs/apiIntegration Tests
GSI=true,xattrs=truehttps://jenkins.sgwdev.com/job/SyncGateway-Integration/1765/