-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CBG-2894: Reject user auth when channel threshold is over 500 #6214
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some initial comments
auth/auth.go
Outdated
// only warn/limit if the threshold is set and if we are in this function as a "user" not a role | ||
if auth.ServerlessChannelThreshold != 0 && princUser != nil { | ||
// Warning at 50 channels | ||
princUser.GetWarnChanSync().Do(func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is going to not work as intended, since this only works the version first time this code is run, I'd write a test where it is over threshold the first time and then under threshold the second time, and it should only warn once.
What happens if it high (warning), then low, then high again (error)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took this apporach as elsewhere we do this warning using the sync once. I don't think you can reset the sync.Once so I either keep as is to follow what is done elsewhere in the code or I remove it (but could end up with a lot of warnings in logs as result)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some nitpicking comments.
* CBG-2894: Reject user auth when channel threshold is over 500 in serverless mode * fix panic where authetciator was needed and it wasn't availible * linter issue * linter issue again * remove extra methods off interface * pass user into function * rebase * ensure 500 code is retruned for http error added * updates based off comments * fix panic * updates based off comments * updates based off dicussion yesterday * lint error * updates based of comments
* CBG-2894: Reject user auth when channel threshold is over 500 in serverless mode * fix panic where authetciator was needed and it wasn't availible * linter issue * linter issue again * remove extra methods off interface * pass user into function * rebase * ensure 500 code is retruned for http error added * updates based off comments * fix panic * updates based off comments * updates based off dicussion yesterday * lint error * updates based of comments
* CBG-2894: Reject user auth when channel threshold is over 500 in serverless mode * fix panic where authetciator was needed and it wasn't availible * linter issue * linter issue again * remove extra methods off interface * pass user into function * rebase * ensure 500 code is retruned for http error added * updates based off comments * fix panic * updates based off comments * updates based off dicussion yesterday * lint error * updates based of comments
CBG-2894
When channels set on a user have changed we need to be able to see how many channels this user has to warn if over warning threshold and to reject any future authorization requests for the user if they have exceeded the channel limit on the user. This code will only be called if a change in channel set has been detected removing the need for this check to be performed each time a user authenticates.
Pre-review checklist
fmt.Print
,log.Print
, ...)base.UD(docID)
,base.MD(dbName)
)docs/api
Integration Tests
GSI=true,xattrs=true
https://jenkins.sgwdev.com/job/SyncGateway-Integration/1765/