[SERVER-26952] Cache SCRAM-SHA-1 ClientKey Created: 08/Nov/16 Updated: 17/Oct/17 Resolved: 02/Feb/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Client |
| Affects Version/s: | None |
| Fix Version/s: | 3.2.16, 3.4.4, 3.5.3 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | bkp | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||
| Backport Requested: |
v3.4, v3.2
|
||||||||||||||||||||||||
| Sprint: | Platforms 2017-03-27 | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||
| Description |
|
SCRAM-SHA-1, by design, consumes a great deal of CPU resources while performing authentication. This can be a problem while populating connection pools, where many clients are authenticating at once. Fortunately, most of the expensive computations of SCRAM can be reused across multiple authentication requests. RFC5802 makes provisions for this:
|
| Comments |
| Comment by Githook User [ 11/Jul/17 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 47da0b53f9cd27aeec1d2822780784866269a47d) |
| Comment by Githook User [ 07/Apr/17 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 47da0b53f9cd27aeec1d2822780784866269a47d) |
| Comment by Githook User [ 02/Feb/17 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by David Golden [ 09/Dec/16 ] |
|
N.B. SaltedPassword and thus ClientKey and ServerKey are a function of both salt and iteration count, so the cache would be invalid if either change (which is fortunately also unlikely in the timeframe of multiple server connections in a pool). |