mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 03:24:26 +00:00
63d733b3a2
# Which Problems Are Solved When executing many concurrent authentication requests on a single machine user, there were performance issues. As the same aggregate is being searched and written to concurrently, we traced it down to a locking issue on the used index. We already optimized the token endpoint by creating a separate OIDC aggregate. At the time we decided to push a single event to the user aggregate, for the user audit log. See [technical advisory 10010](https://zitadel.com/docs/support/advisory/a10010) for more details. However, a recent security fix introduced an additional search query on the user aggregate, causing the locking issue we found. # How the Problems Are Solved Add a feature flag which disables pushing of the `user.token.v2.added`. The event has no importance and was only added for informational purposes on the user objects. The `oidc_session.access_token.added` is the actual payload event and is pushed on the OIDC session aggregate and can still be used for audit trail. # Additional Changes - Fix an event mapper type for `SystemOIDCSingleV1SessionTerminationEventType` # Additional Context - Reported by support request - https://github.com/zitadel/zitadel/pull/7822 changed the token aggregate - https://github.com/zitadel/zitadel/pull/8631 introduced user state check Load test trace graph with `user.token.v2.added` **enabled**. Query times are steadily increasing: ![image](https://github.com/user-attachments/assets/4aa25055-8721-4e93-b695-625560979909) Load test trace graph with `user.token.v2.added` **disabled**. Query times constant: ![image](https://github.com/user-attachments/assets/a7657f6c-0c55-401b-8291-453da5d5caf9) --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
100 lines
2.9 KiB
Go
100 lines
2.9 KiB
Go
package query
|
|
|
|
import (
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/feature"
|
|
"github.com/zitadel/zitadel/internal/repository/feature/feature_v2"
|
|
)
|
|
|
|
type SystemFeaturesReadModel struct {
|
|
*eventstore.ReadModel
|
|
system *SystemFeatures
|
|
}
|
|
|
|
func NewSystemFeaturesReadModel() *SystemFeaturesReadModel {
|
|
m := &SystemFeaturesReadModel{
|
|
ReadModel: &eventstore.ReadModel{
|
|
AggregateID: "SYSTEM",
|
|
ResourceOwner: "SYSTEM",
|
|
},
|
|
system: new(SystemFeatures),
|
|
}
|
|
return m
|
|
}
|
|
|
|
func (m *SystemFeaturesReadModel) Reduce() error {
|
|
for _, event := range m.Events {
|
|
switch e := event.(type) {
|
|
case *feature_v2.ResetEvent:
|
|
m.reduceReset()
|
|
case *feature_v2.SetEvent[bool]:
|
|
err := reduceSystemFeatureSet(m.system, e)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
case *feature_v2.SetEvent[[]feature.ImprovedPerformanceType]:
|
|
err := reduceSystemFeatureSet(m.system, e)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
return m.ReadModel.Reduce()
|
|
}
|
|
|
|
func (m *SystemFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
AwaitOpenTransactions().
|
|
AddQuery().
|
|
AggregateTypes(feature_v2.AggregateType).
|
|
AggregateIDs(m.AggregateID).
|
|
EventTypes(
|
|
feature_v2.SystemResetEventType,
|
|
feature_v2.SystemLoginDefaultOrgEventType,
|
|
feature_v2.SystemTriggerIntrospectionProjectionsEventType,
|
|
feature_v2.SystemLegacyIntrospectionEventType,
|
|
feature_v2.SystemUserSchemaEventType,
|
|
feature_v2.SystemTokenExchangeEventType,
|
|
feature_v2.SystemActionsEventType,
|
|
feature_v2.SystemImprovedPerformanceEventType,
|
|
feature_v2.SystemOIDCSingleV1SessionTerminationEventType,
|
|
feature_v2.SystemDisableUserTokenEvent,
|
|
).
|
|
Builder().ResourceOwner(m.ResourceOwner)
|
|
}
|
|
|
|
func (m *SystemFeaturesReadModel) reduceReset() {
|
|
m.system = nil
|
|
m.system = new(SystemFeatures)
|
|
}
|
|
|
|
func reduceSystemFeatureSet[T any](features *SystemFeatures, event *feature_v2.SetEvent[T]) error {
|
|
level, key, err := event.FeatureInfo()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
switch key {
|
|
case feature.KeyUnspecified:
|
|
return nil
|
|
case feature.KeyLoginDefaultOrg:
|
|
features.LoginDefaultOrg.set(level, event.Value)
|
|
case feature.KeyTriggerIntrospectionProjections:
|
|
features.TriggerIntrospectionProjections.set(level, event.Value)
|
|
case feature.KeyLegacyIntrospection:
|
|
features.LegacyIntrospection.set(level, event.Value)
|
|
case feature.KeyUserSchema:
|
|
features.UserSchema.set(level, event.Value)
|
|
case feature.KeyTokenExchange:
|
|
features.TokenExchange.set(level, event.Value)
|
|
case feature.KeyActions:
|
|
features.Actions.set(level, event.Value)
|
|
case feature.KeyImprovedPerformance:
|
|
features.ImprovedPerformance.set(level, event.Value)
|
|
case feature.KeyOIDCSingleV1SessionTermination:
|
|
features.OIDCSingleV1SessionTermination.set(level, event.Value)
|
|
case feature.KeyDisableUserTokenEvent:
|
|
features.DisableUserTokenEvent.set(level, event.Value)
|
|
}
|
|
return nil
|
|
}
|