(https://issues.jenkins.io/browse/JENKINS-65333 somehow make a similar point but addressed only one particular problem)

      CredentialsProvider lookup can be very costly. Looking up all providers for nothing. This is particularly visible in environments that use remote vaults (Hashicorp Vault for example).

      One particular example is the case of finding a single credentials CredentialsProvider#findCredentialById. It does not halt on first findings, instead it goes through all possible providers and eventually find the first match: https://github.com/jenkinsci/credentials-plugin/blob/1337.v60b_d7b_c7b_c9f/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java#L978.

      But in many cases, CredentialsProvider#lookupCredentials is used to lookup a specific unique credentials ID with the IdMatcher. Probably due to a limitation that CredentialsProvider#findCredentialById requires a run.

      Particularly greedy processes are the BranchIndexing / OrganizationScan of GitHub Branch Source that can generate many many lookups, for the same credentials ID..

      For that reason I am linking the 2 plugins here.

          [JENKINS-73151] Performance of CredentialsProvider lookups

          Jesse Glick added a comment -

          Unfortunately https://javadoc.jenkins.io/plugin/credentials/com/cloudbees/plugins/credentials/CredentialsProvider.html#getCredentialsInItem(java.lang.Class,hudson.model.Item,org.springframework.security.core.Authentication,java.util.List) does not accept a CredentialsMatcher or otherwise allow a specific id to be passed in.

          The original design of the plugin seems to have assumed that credentials would be discovered from a pool by matcher according to some criteria (type, domain). In practice nobody uses these features and the actual use case is just a map from id to credentials, but the API is still optimized for the nonexistent use case.

          Jesse Glick added a comment - Unfortunately https://javadoc.jenkins.io/plugin/credentials/com/cloudbees/plugins/credentials/CredentialsProvider.html#getCredentialsInItem(java.lang.Class,hudson.model.Item,org.springframework.security.core.Authentication,java.util.List ) does not accept a CredentialsMatcher or otherwise allow a specific id to be passed in. The original design of the plugin seems to have assumed that credentials would be discovered from a pool by matcher according to some criteria (type, domain). In practice nobody uses these features and the actual use case is just a map from id to credentials, but the API is still optimized for the nonexistent use case.

            Unassigned Unassigned
            allan_burdajewicz Allan BURDAJEWICZ
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: