Skip to content

Improve scalability of get-license action #134457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DaveCTurner merged 4 commits into from
Sep 11, 2025
Merged

Improve scalability of get-license action #134457

DaveCTurner merged 4 commits into from
Sep 11, 2025

Conversation

@DaveCTurner
Copy link
Contributor

@DaveCTurner DaveCTurner commented Sep 10, 2025

Today this action runs on the transport worker thread and forwards the
request on to the master by default. It turns out that Elastic Agent
uses this API as a readiness check whenever opening a new connection, so
a thundering herd of 1000s of agents can prevent the transport worker
threads from doing more useful work for far too long, leading to high
latency and timeouts.

This commit changes the default behaviour to run the action on the local
node rather than forwarding to the master (although the option remains
to specify ?local=false) and dispatches the work off of the transport
worker early.

@DaveCTurner
Improve scalability of get-license action
c9300b8 
Today this action runs on the transport worker thread and forwards the
request on to the master by default. It turns out that Elastic Agent
uses this API as a readiness check whenever opening a new connection, so
a thundering herd of 1000s of agents can prevent the transport worker
threads from doing more useful work for far too long, leading to high
latency and timeouts.

This commit changes the default behaviour to run the action on the local
node rather than forwarding to the master (although the option remains
to specify `?local=false`) and dispatches the work off of the transport
worker early.
@DaveCTurner DaveCTurner requested a review from ywangd September 10, 2025 14:55
@DaveCTurner DaveCTurner added >enhancement :Security/License License functionality for commercial features v9.2.0 labels Sep 10, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Sep 10, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Sep 10, 2025

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Sep 10, 2025

Hi @DaveCTurner, I've created a changelog YAML for you.

DaveCTurner added a commit to elastic/elasticsearch-specification that referenced this pull request Sep 10, 2025
@DaveCTurner
Update get-license default for ?local
b5b4cde 
The default for the `?local` parameter to the `GET _license` API changed
from `false` to `true` in elastic/elasticsearch#134457. This commit
adjusts the documentation to match.
@DaveCTurner DaveCTurner mentioned this pull request Sep 10, 2025
Merged
ywangd
ywangd approved these changes Sep 10, 2025
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I think it means a default GetLicense request now forks twice: First in its REST handler and second time in TransportMasterNodeAction. I think it's fine. Just wanted to call it out explicitly.

@DaveCTurner DaveCTurner merged commit 73c74fb into elastic:main Sep 11, 2025
40 checks passed
@DaveCTurner DaveCTurner deleted the 2025/09/10/get-license-improvements branch September 11, 2025 12:11
@DaveCTurner
Copy link
Contributor Author

DaveCTurner commented Sep 11, 2025

a default GetLicense request now forks twice

Yes you're right; I'd forgotten about that second dispatch in TransportMasterNodeAction which happens however it's invoked.

It concerns me slightly that any non-local TransportMasterNodeAction will do all the transport-layer security work on a transport worker thread on the master - this is itself surprisingly expensive even if the eventual action runs elsewhere. Hopefully there aren't too many other thundering-herds trying to call such actions, and/or we can eliminate most of this work from ever even reaching the master as described in #101805.

pquentin pushed a commit to elastic/elasticsearch-specification that referenced this pull request Sep 11, 2025
@DaveCTurner
Update get-license default for ?local (#5275)
a1f9660 
* Update get-license default for ?local

The default for the `?local` parameter to the `GET _license` API changed
from `false` to `true` in elastic/elasticsearch#134457. This commit
adjusts the documentation to match.

* Explain false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ywangd ywangd ywangd approved these changes

Assignees

No one assigned

Labels

>enhancement :Security/License License functionality for commercial features Team:Security Meta label for security team v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DaveCTurner @elasticsearchmachine @ywangd