remove unnecessary LRU for internode auth token (#20119)

removes contentious usage of mutexes in LRU, which were never really reused in any manner; we do not need it. To trust hosts, the correct way is TLS certs; this PR completely removes this dependency, which has never been useful. ``` 0 0% 100% 25.83s 26.76% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) 0 0% 100% 28.03s 29.04% github.com/hashicorp/golang-lru/v2/expirable.(*LRU[...]) ``` Bonus: use `x-minio-time` as a nanosecond to avoid unnecessary parsing logic of time strings instead of using a more straightforward mechanism.
2025-11-08 21:24:55 -05:00 · 2024-07-22 00:04:48 -07:00
parent 3ef59d2821
commit 8e618d45fc
17 changed files with 58 additions and 475 deletions
--- a/internal/grid/debug.go
+++ b/internal/grid/debug.go
@@ -169,13 +169,13 @@ func dummyRequestValidate(r *http.Request) error {
 	return nil
 }

-func dummyTokenValidate(token, audience string) error {
-	if token == audience {
+func dummyTokenValidate(token string) error {
+	if token == "debug" {
 		return nil
 	}
-	return fmt.Errorf("invalid token. want %s, got %s", audience, token)
+	return fmt.Errorf("invalid token. want empty, got %s", token)
 }

-func dummyNewToken(audience string) string {
-	return audience
+func dummyNewToken() string {
+	return "debug"
 }
--- a/internal/grid/grid.go
+++ b/internal/grid/grid.go
@@ -26,6 +26,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -208,8 +209,8 @@ func ConnectWS(dial ContextDialer, auth AuthFn, tls *tls.Config) func(ctx contex
 			dialer.NetDial = dial
 		}
 		header := make(http.Header, 2)
-		header.Set("Authorization", "Bearer "+auth(""))
-		header.Set("X-Minio-Time", time.Now().UTC().Format(time.RFC3339))
+		header.Set("Authorization", "Bearer "+auth())
+		header.Set("X-Minio-Time", strconv.FormatInt(time.Now().UnixNano(), 10))

 		if len(header) > 0 {
 			dialer.Header = ws.HandshakeHeaderHTTP(header)
@@ -225,4 +226,4 @@ func ConnectWS(dial ContextDialer, auth AuthFn, tls *tls.Config) func(ctx contex
 }

 // ValidateTokenFn must validate the token and return an error if it is invalid.
-type ValidateTokenFn func(token, audience string) error
+type ValidateTokenFn func(token string) error
--- a/internal/grid/manager.go
+++ b/internal/grid/manager.go
@@ -245,7 +245,7 @@ func (m *Manager) IncomingConn(ctx context.Context, conn net.Conn) {
 		writeErr(fmt.Errorf("time difference too large between servers: %v", time.Since(cReq.Time).Abs()))
 		return
 	}
-	if err := m.authToken(cReq.Token, cReq.audience()); err != nil {
+	if err := m.authToken(cReq.Token); err != nil {
 		writeErr(fmt.Errorf("auth token: %w", err))
 		return
 	}
@@ -257,10 +257,10 @@ func (m *Manager) IncomingConn(ctx context.Context, conn net.Conn) {
 }

 // AuthFn should provide an authentication string for the given aud.
-type AuthFn func(aud string) string
+type AuthFn func() string

 // ValidateAuthFn should check authentication for the given aud.
-type ValidateAuthFn func(auth, aud string) string
+type ValidateAuthFn func(auth string) string

 // Connection will return the connection for the specified host.
 // If the host does not exist nil will be returned.
--- a/internal/grid/msg.go
+++ b/internal/grid/msg.go
@@ -262,14 +262,9 @@ type connectReq struct {
 	Token string
 }

-// audience returns the audience for the connect call.
-func (c *connectReq) audience() string {
-	return fmt.Sprintf("%s-%d", c.Host, c.Time.Unix())
-}
-
 // addToken will add the token to the connect request.
 func (c *connectReq) addToken(fn AuthFn) {
-	c.Token = fn(c.audience())
+	c.Token = fn()
 }

 func (connectReq) Op() Op {
--- a/internal/rest/client.go
+++ b/internal/rest/client.go
@@ -28,6 +28,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"path"
+	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -95,9 +96,9 @@ type Client struct {
 	// TraceOutput will print debug information on non-200 calls if set.
 	TraceOutput io.Writer // Debug trace output

-	httpClient   *http.Client
-	url          *url.URL
-	newAuthToken func(audience string) string
+	httpClient *http.Client
+	url        *url.URL
+	auth       func() string

 	sync.RWMutex // mutex for lastErr
 	lastErr      error
@@ -188,10 +189,10 @@ func (c *Client) newRequest(ctx context.Context, u url.URL, body io.Reader) (*ht
 		}
 	}

-	if c.newAuthToken != nil {
-		req.Header.Set("Authorization", "Bearer "+c.newAuthToken(u.RawQuery))
+	if c.auth != nil {
+		req.Header.Set("Authorization", "Bearer "+c.auth())
 	}
-	req.Header.Set("X-Minio-Time", time.Now().UTC().Format(time.RFC3339))
+	req.Header.Set("X-Minio-Time", strconv.FormatInt(time.Now().UnixNano(), 10))

 	if tc, ok := ctx.Value(mcontext.ContextTraceKey).(*mcontext.TraceCtxt); ok {
 		req.Header.Set(xhttp.AmzRequestID, tc.AmzReqID)
@@ -387,7 +388,7 @@ func (c *Client) Close() {
 }

 // NewClient - returns new REST client.
-func NewClient(uu *url.URL, tr http.RoundTripper, newAuthToken func(aud string) string) *Client {
+func NewClient(uu *url.URL, tr http.RoundTripper, auth func() string) *Client {
 	connected := int32(online)
 	urlStr := uu.String()
 	u, err := url.Parse(urlStr)
@@ -404,7 +405,7 @@ func NewClient(uu *url.URL, tr http.RoundTripper, newAuthToken func(aud string)
 	clnt := &Client{
 		httpClient:               &http.Client{Transport: tr},
 		url:                      u,
-		newAuthToken:             newAuthToken,
+		auth:                     auth,
 		connected:                connected,
 		lastConn:                 time.Now().UnixNano(),
 		MaxErrResponseSize:       4096,