diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-03-10 18:30:28 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-03-10 18:30:28 +0000 |
| commit | 57142014e8424717cda16de9fd8c549c9b402c37 (patch) | |
| tree | 1e5ed8efcb3eb2f8ceefccaf243524964bfb19b4 /lib | |
| parent | 8ecdc0a7de05d81247f2892c7d7e2850ea5f811d (diff) | |
| parent | 7b2bf4ce7589f73bf98a754fecb89d4f92d410b3 (diff) | |
| download | gitlab-ce-57142014e8424717cda16de9fd8c549c9b402c37.tar.gz | |
Merge branch 'expiring-lock' into 'master'
Use an exclusive lease for LDAP checks
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/14134
Merge https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3140 first.
Only perform LDAP checks for a user after acquiring a lease. Checks
during user login do not require a lease.
The lease has a fixed expire time of 10 minutes.
See merge request !3143
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/exclusive_lease.rb | 41 | ||||
| -rw-r--r-- | lib/gitlab/user_access.rb | 2 |
2 files changed, 42 insertions, 1 deletions
diff --git a/lib/gitlab/exclusive_lease.rb b/lib/gitlab/exclusive_lease.rb new file mode 100644 index 00000000000..2ef50286b1d --- /dev/null +++ b/lib/gitlab/exclusive_lease.rb @@ -0,0 +1,41 @@ +module Gitlab + # This class implements an 'exclusive lease'. We call it a 'lease' + # because it has a set expiry time. We call it 'exclusive' because only + # one caller may obtain a lease for a given key at a time. The + # implementation is intended to work across GitLab processes and across + # servers. It is a 'cheap' alternative to using SQL queries and updates: + # you do not need to change the SQL schema to start using + # ExclusiveLease. + # + # It is important to choose the timeout wisely. If the timeout is very + # high (1 hour) then the throughput of your operation gets very low (at + # most once an hour). If the timeout is lower than how long your + # operation may take then you cannot count on exclusivity. For example, + # if the timeout is 10 seconds and you do an operation which may take 20 + # seconds then two overlapping operations may hold a lease for the same + # key at the same time. + # + class ExclusiveLease + def initialize(key, timeout:) + @key, @timeout = key, timeout + end + + # Try to obtain the lease. Return true on success, + # false if the lease is already taken. + def try_obtain + # Performing a single SET is atomic + !!redis.set(redis_key, '1', nx: true, ex: @timeout) + end + + private + + def redis + # Maybe someday we want to use a connection pool... + @redis ||= Redis.new(url: Gitlab::RedisConfig.url) + end + + def redis_key + "gitlab:exclusive_lease:#{@key}" + end + end +end diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb index 4885baf9526..d1b42c1f9b9 100644 --- a/lib/gitlab/user_access.rb +++ b/lib/gitlab/user_access.rb @@ -3,7 +3,7 @@ module Gitlab def self.allowed?(user) return false if user.blocked? - if user.requires_ldap_check? + if user.requires_ldap_check? && user.try_obtain_ldap_lease return false unless Gitlab::LDAP::Access.allowed?(user) end |