Skip to content

Speed up authentication on large zones #19

Description

@jonmz

The proxy does this validation in def zone_detail:

    zone = json_or_none(proxy_to_backend("GET", "zones/%s" % requested_zone))
    if zone and zone.get("account", None) != g.username:
        raise Forbidden

However for zones with many RRsets, it's a lot of overhead, and the RRsets are not needed for validation of the zone owner. So I would suggest to only fetch the full zone for GET requests, but for all other requests rrsets=false is added as a query parameter:

    if request.method == "GET":
        zone = json_or_none(proxy_to_backend("GET", "zones/%s" % requested_zone))
    else:
        zone = json_or_none(proxy_to_backend("GET", "zones/%s?rrsets=false" % requested_zone))
    if zone and zone.get("account", None) != g.username:
        raise Forbidden

The same applies for def zone_notify, but as here only PUT is used, I'd suggest to blindly set rrsets=false.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions