-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE REQ] azure-identity-extensions for PostgreSQL is inneficient #39393
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
@paulaustin-automutatio Assigning to @saragluna to take a look. |
Have a look at com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin Put a breakpoint in the constructor and you will see that it is created for every new database connection. That means it has to get a new token every time as that instance can't be cached. PostgreSQL driver provides no way to cache it. You'd have to do some kind of caching using a static variable. |
This behavior makes it very unusable in scenarios where we want to use pgBouncer. A new token is requested all the time whenever a new connection is made by an application. |
We will look into it. |
Hi @paulaustin-automutatio and @pdefreitas , the token is cached in the layer
the For your reference, I pasted the logs for MySQL token acquisition, first time was from internal AAD endpoint and second time was from the cache: First request responded from internal AAD endpoint: 2024-12-26T06:11:30.059Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : ForceRefresh set to false. Attempting cache lookup
2024-12-26T06:11:30.061Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-1] c.m.a.m.AadInstanceDiscoveryProvider : Instance discovery set to false, caching a default entry.
2024-12-26T06:11:30.068Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : Cache lookup failed: Token not found in the cache
2024-12-26T06:11:30.068Z INFO 13736 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.IMDSManagedIdentitySource : [Managed Identity] Unable to find AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable for IMDS, using the default endpoint.
2024-12-26T06:11:30.069Z INFO 13736 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.IMDSManagedIdentitySource : [Managed Identity] Creating IMDS managed identity source. Endpoint URI: http://169.254.169.254/metadata/identity/oauth2/token
2024-12-26T06:11:30.069Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : [Managed Identity] Managed Identity source and ID type identified and set successfully, request will use Managed Identity for IMDS
2024-12-26T06:11:30.069Z INFO 13736 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.IMDSManagedIdentitySource : [Managed Identity] Adding user assigned ID to the request for IMDS Managed Identity.
2024-12-26T06:11:30.069Z INFO 13736 --- [ForkJoinPool.commonPool-worker-1] c.m.aad.msal4j.ManagedIdentityRequest : [Managed Identity] Adding user assigned client id to the request.
2024-12-26T06:11:30.438Z INFO 13736 --- [ForkJoinPool.commonPool-worker-1] com.microsoft.aad.msal4j.HttpHelper : [Correlation ID: null] Sent (null) Correlation Id is not same as received (null).
2024-12-26T06:11:30.438Z INFO 13736 --- [ForkJoinPool.commonPool-worker-1] c.m.a.m.AbstractManagedIdentitySource : [Managed Identity] Successful response received.
2024-12-26T06:11:30.521Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.ManagedIdentityApplication : [Correlation ID: 47e2c671-59b9-4a18-8907-65082e41bda4] Access Token was returned
2024-12-26T06:11:30.522Z INFO 13736 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => Managed Identity environment: Managed Identity
2024-12-26T06:11:30.522Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => getToken() result for scopes [https://ossrdbms-aad.database.windows.net/.default]: SUCCESS
Second request responded from the cache: 2024-12-26T06:13:23.514Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-3] .m.AcquireTokenByManagedIdentitySupplier : ForceRefresh set to false. Attempting cache lookup
2024-12-26T06:13:23.514Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-3] c.m.a.msal4j.AcquireTokenSilentSupplier : Returning token from cache
2024-12-26T06:13:23.515Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-3] c.m.a.msal4j.ManagedIdentityApplication : [Correlation ID: 83f51f18-19a9-43d2-b224-52f1fc83d316] Access Token was returned
2024-12-26T06:13:23.515Z INFO 13736 --- [ForkJoinPool.commonPool-worker-3] c.a.identity.ManagedIdentityCredential : Azure Identity => Managed Identity environment: Managed Identity
2024-12-26T06:13:23.515Z DEBUG 13736 --- [ForkJoinPool.commonPool-worker-3] c.a.identity.ManagedIdentityCredential : Azure Identity => getToken() result for scopes [https://ossrdbms-aad.database.windows.net/.default]: SUCCESS |
@moarychan what you're stating is correct for MySQL it indeed caches the token, but for PostgreSQL it doesn't have the same behavior. During our tests we've noticed the token is not cached for PostgreSQL, the implementation shows signs it doesn't have the same caching logic because the MySQL implementation uses the same instance. From our tests, |
Hi @pdefreitas thanks for your update! As far as I know, the cache under msal4j should have the same behavior for each authentication plugin implementation. Not familiar with pgbouncer, could you help provide a minimal project to reproduce your issue? |
@moarychan Azure provides pgbouncer on PostgreSQL - Flexible Server Link. |
Hi @pdefreitas , I tried with PGBouncer enabled, which results using jdbc url with another port Below are the logs and removed some unwanted info: 2025-01-07T07:00:38.990Z DEBUG 5612 --- [main] c.a.i.e.i.t.AzureAuthenticationTemplate : Initializing AzureAuthenticationTemplate.
2025-01-07T07:00:39.087Z DEBUG 5612 --- [main] c.a.identity.ManagedIdentityCredential : Azure Identity => Found the following environment variables:
2025-01-07T07:00:39.092Z DEBUG 5612 --- [main] c.a.i.e.i.t.AzureAuthenticationTemplate : Initialized AzureAuthenticationTemplate.
2025-01-07T07:00:39.522Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : ForceRefresh set to false. Attempting cache lookup
2025-01-07T07:00:39.525Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.m.AadInstanceDiscoveryProvider : Instance discovery set to false, caching a default entry.
2025-01-07T07:00:39.537Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : Cache lookup failed: Token not found in the cache
2025-01-07T07:00:39.538Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.IMDSManagedIdentitySource : [Managed Identity] Unable to find AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable for IMDS, using the default endpoint.
2025-01-07T07:00:39.538Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.IMDSManagedIdentitySource : [Managed Identity] Creating IMDS managed identity source. Endpoint URI: http://169.254.169.254/metadata/identity/oauth2/token
2025-01-07T07:00:39.539Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : [Managed Identity] Managed Identity source and ID type identified and set successfully, request will use Managed Identity for IMDS
2025-01-07T07:00:39.539Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.IMDSManagedIdentitySource : [Managed Identity] Adding user assigned ID to the request for IMDS Managed Identity.
2025-01-07T07:00:39.540Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.aad.msal4j.ManagedIdentityRequest : [Managed Identity] Adding user assigned client id to the request.
2025-01-07T07:00:39.956Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] com.microsoft.aad.msal4j.HttpHelper : [Correlation ID: null] Sent (null) Correlation Id is not same as received (null).
2025-01-07T07:00:39.957Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.m.AbstractManagedIdentitySource : [Managed Identity] Successful response received.
2025-01-07T07:00:40.032Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.ManagedIdentityApplication : [Correlation ID: 666ce3b4-6d67-41e1-82b2-e1ba85b3d1d0] Access Token was returned
2025-01-07T07:00:40.033Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => Managed Identity environment: Managed Identity
2025-01-07T07:00:40.034Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => getToken() result for scopes [https://ossrdbms-aad.database.windows.net/.default]: SUCCESS
2025-01-07T07:00:40.083Z INFO 5612 --- [main] o.e.PostgresqlWithAuthenticationPlugin : [0 - Connection via Default credential provider] - 0 Connection successful!
2025-01-07T07:00:40.101Z INFO 5612 --- [main] o.e.PostgresqlWithAuthenticationPlugin : [0 - Connection via Default credential provider] Current number from PostgreSQL: 2025-01-07 07:00:40.094219+00
2025-01-07T07:00:40.127Z DEBUG 5612 --- [main] c.a.i.e.i.t.AzureAuthenticationTemplate : Initializing AzureAuthenticationTemplate.
2025-01-07T07:00:40.128Z DEBUG 5612 --- [main] c.a.identity.ManagedIdentityCredential : Azure Identity => Found the following environment variables:
2025-01-07T07:00:40.128Z DEBUG 5612 --- [main] c.a.i.e.i.t.AzureAuthenticationTemplate : Initialized AzureAuthenticationTemplate.
2025-01-07T07:00:40.129Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : ForceRefresh set to false. Attempting cache lookup
2025-01-07T07:00:40.130Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.AcquireTokenSilentSupplier : Returning token from cache
2025-01-07T07:00:40.130Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.ManagedIdentityApplication : [Correlation ID: a0d20c65-a2e9-4ac5-a278-fe6cf61a3602] Access Token was returned
2025-01-07T07:00:40.130Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => Managed Identity environment: Managed Identity
2025-01-07T07:00:40.131Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => getToken() result for scopes [https://ossrdbms-aad.database.windows.net/.default]: SUCCESS
2025-01-07T07:00:40.135Z INFO 5612 --- [main] o.e.PostgresqlWithAuthenticationPlugin : [1 - Connection via Default credential provider] - 1 Connection successful!
2025-01-07T07:00:40.137Z INFO 5612 --- [main] o.e.PostgresqlWithAuthenticationPlugin : [1 - Connection via Default credential provider] Current number from PostgreSQL: 2025-01-07 07:00:40.137537+00
2025-01-07T07:00:40.160Z DEBUG 5612 --- [main] c.a.i.e.i.t.AzureAuthenticationTemplate : Initializing AzureAuthenticationTemplate.
2025-01-07T07:00:40.161Z DEBUG 5612 --- [main] c.a.identity.ManagedIdentityCredential : Azure Identity => Found the following environment variables:
2025-01-07T07:00:40.162Z DEBUG 5612 --- [main] c.a.i.e.i.t.AzureAuthenticationTemplate : Initialized AzureAuthenticationTemplate.
2025-01-07T07:00:40.163Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] .m.AcquireTokenByManagedIdentitySupplier : ForceRefresh set to false. Attempting cache lookup
2025-01-07T07:00:40.164Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.AcquireTokenSilentSupplier : Returning token from cache
2025-01-07T07:00:40.165Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.m.a.msal4j.ManagedIdentityApplication : [Correlation ID: a5034f8c-b499-4b64-b8a7-73686c79432b] Access Token was returned
2025-01-07T07:00:40.165Z INFO 5612 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => Managed Identity environment: Managed Identity
2025-01-07T07:00:40.166Z DEBUG 5612 --- [ForkJoinPool.commonPool-worker-1] c.a.identity.ManagedIdentityCredential : Azure Identity => getToken() result for scopes [https://ossrdbms-aad.database.windows.net/.default]: SUCCESS
2025-01-07T07:00:40.170Z INFO 5612 --- [main] o.e.PostgresqlWithAuthenticationPlugin : [2 - Connection via Default credential provider] - 2 Connection successful!
2025-01-07T07:00:40.171Z INFO 5612 --- [main] o.e.PostgresqlWithAuthenticationPlugin : [2 - Connection via Default credential provider] Current number from PostgreSQL: 2025-01-07 07:00:40.171459+00
|
Hi @pdefreitas, I want to double confirm which authentication method you used, no managed identity credential is used, right? |
@moarychan we're using workload identities through Microsoft Entra Workload ID. I guess we will have to tweak logging levels to logging and instrumentation, we can try it out when #43659 is available. |
@pdefreitas , thanks for your update! The next version of the azure-identity-extension will resolve this issue. |
I want to explain more on this, the ManagedIdentity credential has a shared token cache, so even if multiple connections create multiple token credential instances, they will use the cached token. But other token credential types, such as workload identity, only have instance level token cache. In those cases, multiple connections will create multiple token credential instances, in hence retrieving token multiple times. That's why #43659 will fix the issue; for it will cache the token credential instance. |
@saragluna it's cool that |
@pdefreitas please wait for the next release, will keep you posted. |
@saragluna ok thank you. A workaround for anyone who wants to try it out you can force the dependency to 1.2.0 by directly making
|
https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/identity/azure-identity-extensions
I just wanted to let you know that the way the above is implemented for PostgreSQL is inefficient.
This is due to the way that the postgreSQL driver creates an instance of the authenticator plugin for each connection request.
This means that a new token is requested for each connection request.
I'm just reporting this as a courtesy as I'm not going to be using this code
The text was updated successfully, but these errors were encountered: