From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 630C51FF1A6 for ; Fri, 5 Dec 2025 14:25:43 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E3A1C1D2CC; Fri, 5 Dec 2025 14:26:08 +0100 (CET) From: Samuel Rufinatscha To: pbs-devel@lists.proxmox.com Date: Fri, 5 Dec 2025 14:25:56 +0100 Message-ID: <20251205132559.197434-4-s.rufinatscha@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251205132559.197434-1-s.rufinatscha@proxmox.com> References: <20251205132559.197434-1-s.rufinatscha@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1764941116856 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.281 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: [pbs-devel] [PATCH proxmox-backup 3/3] pbs-config: add TTL window to token secret cache X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Verify_secret() currently calls refresh_cache_if_file_changed() on every request, which performs a metadata() call on token.shadow each time. Under load this adds unnecessary overhead, considering also the file usually should rarely change. This patch introduces a TTL boundary, controlled by TOKEN_SECRET_CACHE_TTL_SECS. File metadata is only re-loaded once the TTL has expired. This patch partly fixes bug #6049 [1]. [1] https://bugzilla.proxmox.com/show_bug.cgi?id=7017 Signed-off-by: Samuel Rufinatscha --- pbs-config/src/token_shadow.rs | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pbs-config/src/token_shadow.rs b/pbs-config/src/token_shadow.rs index ed54cdfa..23837c60 100644 --- a/pbs-config/src/token_shadow.rs +++ b/pbs-config/src/token_shadow.rs @@ -10,6 +10,7 @@ use serde::{Deserialize, Serialize}; use serde_json::{from_value, Value}; use proxmox_sys::fs::CreateOptions; +use proxmox_time::epoch_i64; use pbs_api_types::Authid; //use crate::auth; @@ -24,6 +25,8 @@ const CONF_FILE: &str = pbs_buildcfg::configdir!("/token.shadow"); /// subsequent authentications for the same token+secret combination, avoiding /// recomputing the password hash on every request. static TOKEN_SECRET_CACHE: OnceCell> = OnceCell::new(); +/// Max age in seconds of the token secret cache before checking for file changes. +const TOKEN_SECRET_CACHE_TTL_SECS: i64 = 60; #[derive(Serialize, Deserialize)] #[serde(rename_all = "kebab-case")] @@ -63,6 +66,15 @@ fn write_file(data: HashMap) -> Result<(), Error> { fn refresh_cache_if_file_changed() -> Result<(), Error> { let mut cache = token_secret_cache().write().unwrap(); + let now = epoch_i64(); + + // Fast path: Within TTL boundary + if let Some(last) = cache.last_checked { + if now - last < TOKEN_SECRET_CACHE_TTL_SECS { + return Ok(()); + } + } + // Fetch the current token.shadow metadata let (new_mtime, new_len) = match fs::metadata(CONF_FILE) { Ok(meta) => (meta.modified().ok(), Some(meta.len())), @@ -79,6 +91,7 @@ fn refresh_cache_if_file_changed() -> Result<(), Error> { cache.secrets.clear(); cache.file_mtime = new_mtime; cache.file_len = new_len; + cache.last_checked = Some(now); Ok(()) } @@ -169,6 +182,8 @@ struct ApiTokenSecretCache { file_mtime: Option, // shadow file length to detect changes file_len: Option, + // last time the file metadata was checked + last_checked: Option, } fn token_secret_cache() -> &'static RwLock { @@ -177,6 +192,7 @@ fn token_secret_cache() -> &'static RwLock { secrets: HashMap::new(), file_mtime: None, file_len: None, + last_checked: None, }) }) } -- 2.47.3 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel