History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: QB-1917
Type: Bug Bug
Status: Closed Closed
Resolution: Won't Fix
Priority: Blocker Blocker
Assignee: Robin Shen
Reporter: Maikel vd Hurk
Votes: 1
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
QuickBuild

Add default limitation to RestAPI calls which can bring system to not responding

Created: 21/Jan/14 08:08 AM   Updated: 17/Jan/18 07:18 AM
Component/s: None
Affects Version/s: 5.1.7
Fix Version/s: None

Original Estimate: Unknown Remaining Estimate: Unknown Time Spent: Unknown


 Description  « Hide
Add default limitation to RestAPI calls which can bring system to not responding. Currently calls like for example:
Search Builds (http://localhost:8810/rest/builds?&lt;search criteria1>=<value1>&<search criteria2>=<value2>&...)
Get child configurations of specified configuration (http://localhost:8810/rest/configurations?parent_id=&lt;parent configuration id>)
Get all descendent configurations of specified configuration (http://localhost:8810/rest/configurations?parent_id=&lt;parent configuration id>&recursive=true)
Get all configurations in the system (http://localhost:8810/rest/configurations?recursive=true)

This kind of RestAPI calls can bring the server in 'not responding' mode, ie UI not accessible at all anymore or heap space problems. It would be good to add some default limit on this calls so that system hang up can be avoided.

 All   Comments   Work Log   Change History      Sort Order:
[ Permlink | « Hide ]
Maikel vd Hurk [21/Jan/14 08:32 PM]
Also consider option to separate the two servers so that you have full control on which server is causing problems.

[ Permlink | « Hide ]
Robin Shen [22/Jan/14 01:05 AM]
Instead of putting limit on various API calls (which is somewhat difficult to determine in what situation to limit), QB 5.1.7 has an extra group permission to control if the group can access the system via RESTful API. Therefore, you may use this option to limit RESTful API calls to trained and trusted users. Also this normally happens when there are a lot of configurations, if you have too many configurations running on a single server, please consider to split the configurations to multiple servers to avoid potential performance issue.

[ Permlink | « Hide ]
Maikel vd Hurk [22/Jan/14 09:18 AM]
I know about this limitation, but still even trained people can make a failure and do certain call. Therefore it would be better to avoid running out of heap space when there is a large amount of configurations, one option can be:
1) Limit calls which is quite hard to do because the limit is based as well on heap/memory settings
2) Separate the two servers so that you RestAPI is not influencing performance of main server

You want a stable as possible system and not require to restart server due to fact that someone did a surge of wrong calls on restapi. Splitting configurations to multiple servers is not very user friendly in a large scale project, as you would still want to have one main entry point for end users (what is behind the scene happening should be transparent).

[ Permlink | « Hide ]
Robin Shen [22/Jan/14 09:44 AM]
Separate RESTful API handling logic into another server is not possible for now due to complex internal state of the build server (and this is the same reason why most CI solutions can not be clusterred). As to limit API calls based on heap size, it may not be feasible as often the out of memory issue is caused by GC thread taking too much time compared to normal tasks (GC overhead limit), not to mention that it is not easy to calculate the memory required by a configuration (highly depends on how many steps/repositories/... are defined) before actually getting them from database.


Powered by Atlassian JIRA™ the Professional Issue Tracker. (Standard Edition, Version: 3.7.4-#189) - Bug/feature request - Contact Administrators