| 2013-04-23 19:20:42 |
Morgan Fainberg |
description |
The token list and revocation lists in the memcache token driver can hit the limit of a given memcache page. This can occur if a user continually issues tokens and does not let the list page(s) expire out of the memcache server. The revocation page, in theory, would never expire out of the memcache server if there was any consistent amount of revocations occurring.
Typically this will occur if the token count reaches somewhere in the 31,700 range using the 1MB default page size. While this is a fairly sizable number, the issue lies in that the memcache token driver does not have any logic to expire out tokens from either the revocation list or the active token list (with the exception of a delete, which moves the token from "active" to "revocation"). This means that there is the potential that any given user could exceed the size of these two lists over an extended period of time (or even a short period of time if an account issues/revokes a large quantity of tokens consistently).
The revocation list appears to be more sensitive to this effect since it looks to hold the entire token contents instead of just the ID.
When this event occurs, the result will be that no further tokens can be issued or no further tokens can be added to the revocation list. |
The token list and revocation lists in the memcache token driver can hit the limit of a given memcache page. This can occur if a user continually issues tokens and does not let the list page(s) expire out of the memcache server. The revocation page, in theory, would never expire out of the memcache server if there was any consistent amount of revocations occurring.
Typically this will occur if the token count reaches somewhere in the 31,700 range using the 1MB default page size. While this is a fairly sizable number, the issue lies in that the memcache token driver does not have any logic to expire out tokens from either the revocation list or the active token list (with the exception of a delete, which moves the token from "active" to "revocation"). This means that there is the potential that any given user could exceed the size of these two lists over an extended period of time (or even a short period of time if an account issues/revokes a large quantity of tokens consistently).
The revocation list appears to be more sensitive to this effect since it looks to hold the entire token contents instead of just the ID.
When this event occurs, the result will be that no further tokens can be issued (for a given user/tenant combination) or no further tokens can be added to the revocation list. |
|
