Hi,
On 2024-06-14 12:27:12 -0400, Tom Lane wrote:
> Andres Freund <andres@anarazel.de> writes:
> > Initializing the gss cache at all isn't so much the problem. It's that we do
> > it for every connection. And that doing so requires locking inside gss. So
> > maybe we could just globally cache that gss isn't available, instead of
> > rediscovering it over and over for every new connection.
>
> I had the impression that krb5 already had such a cache internally.
Well, if so, it clearly doesn't seem to work very well, given that it causes
contention at ~15k lookups/sec. That's obviously a trivial number for anything
cached, even with the worst possible locking regimen.
> Maybe they don't cache the "failed" state though. I doubt we'd
> want to either in long-lived processes --- what if the user
> installs the credential while we're running?
If we can come up with something better - cool. But it doesn't seem great that
gss introduces contention for the vast majority of folks that use libpq in
environments that never use gss.
I don't think we should cache the set of credentials when gss is actually
available on a process-wide basis, just the fact that gss isn't available at
all. I think it's very unlikely for that fact to change while an application
is running. And if it happens, requiring a restart in those cases seems an
acceptable price to pay for what is effectively a niche feature.
Greetings,
Andres Freund