Closed Gallardot closed 5 years ago
@Gallardot already answered your question: https://github.com/fabric8io/openshift-elasticsearch-plugin/issues/172#issuecomment-481805127 This is the only reason
Any request that includes a bearer token performs, as you noted, three requests(possibly more) against the API server. Fluent utilizes certificates; the request does not send a token so these requests are not made. The ONLY reason ACLs are synced everytime is because we removed caching because of inconsistent behavior reported by users when we did have caching. It's likely it worked as expected, but manifested it self differently to users and it was user perception issues.
There is no philosophical or technical reason to not add a cache; its simply the time required for someone to do the work.
In our scenario:
The index scenario: We only use fluentd to collect logs. Fluentd will write log into the ElasticSearch with certificate. I think this is not going through openshift-elasticsearch-plugin . Is that right?
The query scenario: The user accesses ElasticSearch through Kibana.I think this is going through openshift-elasticsearch-plugin.This plugin synchronizes the ACL from OpenShift to ElasticSearch on every request so that searchguard can use it.Is that right?
If I’m right,my question is why we need sync acl on every request?By observing ElasticSearch's log, we can see that the synchronization operation takes a lot of time.
some log:
Authentication is ok. took 236ms
Sync ACL. took 502 ms.
But we takes only 200 milliseconds to access Elasticsearch directly.Therefore, in our scenario we want to reduce the operation of sync ACL.We need some help.