Cookie-size overflow when using external (REST) role mapping #2111
Comments
|
@sverrehu I agree that the 4KB cookie limit is a constraint with the fine-grained permissions that we have now. |
|
Yes, in-memory cache is what I was thinking about. |
|
@sverrehu, are you preparing a PR to fix this? AFAIK your proposed solution works from a fork in our environment. |
|
I started to work on it. The main concern that I have right now is about multiple AKHQ replicas. Suppose you have 2 AKHQ replicas in K8S or 2 AKHQ behind a LB, a request can be handled by one or the other replica. So this local cache needs to be set on the replica that doesn't handle the login. |
|
I haven't gotten around to making it a proper PR yet, but this is what I have, that solves the problem at our site: |
|
Update: I made the above mentioned, local PR into a draft PR: #2125 |
|
I understand what you did to make OIDC works in your case. The thing is that storing the groups in the JWT token to process them after won't work for: as these 2 give directly the groups mapping (role/pattern/cluster) and not just the AKHQ group to map with the configuration. |
|
@AlexisSouquiere, I think you should look closer at the PR. 👓 is still present. And if the |
|
I saw this 😄 I was more thinking of a way to avoid completely the groups mapping from the JWT token, even for the direct OIDC mapping and the external mapping |
|
Yes, this should probably be reworked, but I am thinking short-term and long-term fixes. We cannot use AKHQ without an immediate fix for this. |
|
I fixed the tests now. PTAL, @AlexisSouquiere |
|
I will check that before Thursday EOD. At first glance the PR looks good. |
|
Thanks! |
|
I did the review and with small changes, your proposal works. After testing, the only concern that I have is that now using OIDC + the External claim provider, on each and every request, the external claim provider will be called. It's an impacting change as we were only doing a single call preivously. I think that setting up a local cache with caffeine is kind of mandatory to avoid this behaviour. WDYT ? With OIDC + groups mapping from the config there is no issues as we are only using local data, but with the external claim provider, the situation has changed |
|
Thanks for your review and your comments! I have a branch in which I try to implement caching, but I have not tested it yet: |
|
Hello everyone, I just wanted to quickly ask how things will proceed here. We would be happy if we could use this feature. Is there a timeline for when we can expect it? Thank you very much for your efforts. |
|
@AlexisSouquiere we tested the Caffeine-based caching locally now, and it makes everything a lot faster. Maybe I should merge it into the main PR? |
|
@sverrehu I think I missed this comment 😢 Yes I think it would be better to have it in the same PR |
I merged the caching into the main PR no. PTAL, @AlexisSouquiere ! |
|
Thanks ! I'm working on it |
We have implemented a REST-based role-mapper.
It fails for users who have access to a large number of topics, because the JWT is rewritten to contain all the mapped groups, which in turn contain a large number of patterns for our topics.
The JWT is further set in a cookie, and cookies are typically limited to about 4 KiB. Even though the content is gzipped and BASE64-encoded, the size by far exceeds 4 KiB in our clusters.
We think it would be possible to keep the mapping server-side, and look it up based on the original JWT.
The text was updated successfully, but these errors were encountered: