Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61211

QueueItemAuthenticator causes Build Queue contention

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • core
    • core:2.222

      When using the Authorize Project plugin to configure authorization for build execution, this has severe consequences on the overall performances of a Jenkins master because it request information repeatedly "trying to get user details for impersonation" from the Security Realm. This can happen during in a thread that hold the Queue.Lock

      An instance will periodically become unavailable or take a very long time in builds especially when the build queue becomes large or when a lot of builds are happening all at the same time.

      If start a fresh instance with 2 master executors, configure a "Project default Build Authorization" under Manage Jenkins > configure Global Security, then create a single pipeline and execute it, you will see through FINE logging of hudson.model.User that the {{User#getUserDetailsForImpersonation} is requested 8 times:

      Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success
Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success
Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success
Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success
Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success
Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success
Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success
Feb 24, 2020 2:42:42 PM FINE hudson.model.User getUserDetailsForImpersonation
Impersonation of the user admin was a success

      Workaround

      Caching can be configured at the Security Realm level depending on the solution (for example for LDAP / Active directory).

      Improvement Proposal

      I do however think that something could be improved and that since impersonation is happening so frequently, maybe the UserDetailsCache can be used to improve performance.

            allan_burdajewicz Allan BURDAJEWICZ
            allan_burdajewicz Allan BURDAJEWICZ
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: