[SERVER-22716] MongoDB authentication is 37x slower in 3.0.8 vs 2.6.11 Created: 18/Feb/16  Updated: 08/Jan/24  Resolved: 22/Mar/16

Status: Closed
Project: Core Server
Component/s: Performance, Security
Affects Version/s: 3.0.8
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Scott Kurowski Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OS X, Linux


Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Reproduced with non-enterprise versions 3.0.8 and 2.6.11 using Node.js driver driver 5.4.1 with module 2.1.3. Swapping only the MongoDB binaries used and clean data folder paths and using the same Node.js driver and test code in both timing runs.

Prequisites: Install mtools, m and node on single Mac OS X system. Install both mongodb versions using m.

Cluster configuration for 2.6.11:
mlaunch init --replicaset --port 27017 --nodes 3 --binarypath /usr/local/m/versions/2.6.11/bin --hostname localhost --auth --auth-user user --auth-password password --smallfiles --mongos 1 --config 1 --sharded sh1 sh2 sh3

Cluster configuration for 3.0.8:
mlaunch init --replicaset --port 27017 --nodes 3 --binarypath /usr/local/m/versions/3.0.8/bin --hostname localhost --auth --auth-user user --auth-password password --smallfiles --mongos 1 --config 1 --sharded sh1 sh2 sh3

When the cluster is spun-up, add userid before running the test Node.js code:

mongo -u user -p password admin
> use node_test_db
> db.createUser(
    {
         user: "node_test",
         pwd: "password",
         roles: [ { role: "dbOwner", db: "node_test_db" } ]
    }
)

Run a node.js script that opens multiple connections to the node_test_db mongos process in a batch, then authenticates those connections in a batch, and reporting the total timings for each batch.

Sprint: Security 10 (02/19/16), Security 11 (03/11/16), Security 12 (04/01/16)
Participants:

 Description   

Connections timings remain similar, however authentication is about 37x slower and test timings of various counts of authenticated connections show a linear timing correlation with connection count.

Version 2.6.11 Repro Test Timings

Trial Connections   Connect (secs)    Auth(secs)
1        200          0.215             0.275
2        200          0.212             0.273
3        150          0.161             0.204
4        150          0.161             0.205
5        100          0.110             0.140
5        100          0.112             0.145

Version 3.0.8 Repro Test Timings

Trial Connections   Connect (secs)    Auth(secs)
1        150          0.162             7.685
2        150          0.161             7.734
3        100          0.111             5.229
4        100          0.111             5.190
5         10          0.020             0.550
6         10          0.170             0.546
7          1          0.017             0.095
8          1          0.018             0.010

Reproduced with non-enterprise versions 3.0.8 and 2.6.11 using Node.js driver 5.4.1 with module 2.1.3.



 Comments   
Comment by Andreas Nilsson [ 22/Mar/16 ]

Per offline discussion we did some investigation into this, and this behavior is expected. SCRAM-SHA-1 requires authenticating clients perform a large amount of computation to produce a SaltedPassword. This is intended to make brute forcing the password from the authentication exchange computationally impractical.

In the provided workload, all the CPU time spent was in the client application, as it computed this SaltedPassword. Using a more recent version of the Node.js driver with dynamic pool sizing will prevent the application from blocking on startup while waiting to preallocate its connection pools. Dynamic pool sizing is likely sufficient for most use cases.

I will go ahead and close this ticket as "Community Answered".

Kind regards,
Andreas

Generated at Thu Feb 08 04:01:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.