Skip to content

Flag to disable advisory locks #14562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
brandan-schmitz opened this issue May 19, 2025 · 1 comment
Open

Flag to disable advisory locks #14562

brandan-schmitz opened this issue May 19, 2025 · 1 comment
Labels
enhancement New feature or request

Comments

@brandan-schmitz
Copy link

Is your feature request related to a problem? Please describe.

It has been raised once before here but it has been quite a while since it was closed. The ability to use CockroachDB as the database would really help. The scalability, redundancy and performance built into that makes it much nicer for running applications. Right now, from what I can tell the only thing preventing people from using that is the couple of places using advisory locks.

Describe the solution you'd like

Either the removal of the advisory locks (I understand this is probably unlikely unless there is an easy way to do what it is doing) or a configuration flag or something that would disable those locks for those of us who want to use CockroachDB with the understanding its not fully supported.

Describe alternatives you've considered

No alternatives are available.

Additional context

From what I can see, there are only 5 locations that reference pglocks and only 4 that are referencing it.

This one is only used within this same file in run_migrations()

authentik/lifecycle/migrate.py

Lines 55 to 70 in 3748781

def wait_for_lock(cursor: Cursor):
"""lock an advisory lock to prevent multiple instances from migrating at once"""
global LOCKED # noqa: PLW0603
LOGGER.info("waiting to acquire database lock")
cursor.execute("SELECT pg_advisory_lock(%s)", (ADV_LOCK_UID,))
LOCKED = True
def release_lock(cursor: Cursor):
"""Release database lock"""
global LOCKED # noqa: PLW0603
if not LOCKED:
return
LOGGER.info("releasing database lock")
cursor.execute("SELECT pg_advisory_unlock(%s)", (ADV_LOCK_UID,))
LOCKED = False


These next three are all extending the Model class and defining the sync_lock function.

authentik/authentik/lib/sync/outgoing/models.py

Lines 42 to 49 in 3748781

@property
def sync_lock(self) -> pglock.advisory:
"""Postgres lock for syncing to prevent multiple parallel syncs happening"""
return pglock.advisory(
lock_id=f"goauthentik.io/{connection.schema_name}/providers/outgoing-sync/{str(self.pk)}",
timeout=0,
side_effect=pglock.Return,
)

authentik/authentik/sources/kerberos/models.py

Lines 165 to 172 in 3748781

@property
def sync_lock(self) -> pglock.advisory:
"""Redis lock for syncing Kerberos to prevent multiple parallel syncs happening"""
return pglock.advisory(
lock_id=f"goauthentik.io/{connection.schema_name}/sources/kerberos/sync/{self.slug}",
timeout=0,
side_effect=pglock.Return,
)

authentik/authentik/sources/ldap/models.py

Lines 256 to 263 in 3748781

@property
def sync_lock(self) -> pglock.advisory:
"""Postgres lock for syncing LDAP to prevent multiple parallel syncs happening"""
return pglock.advisory(
lock_id=f"goauthentik.io/{connection.schema_name}/sources/ldap/sync/{self.slug}",
timeout=0,
side_effect=pglock.Return,
)


From what I can find, that sync_lock is only utilized in the following locations:

authentik/authentik/sources/kerberos/tasks.py

Lines 55 to 61 in 3748781

with source.sync_lock as lock_acquired:
if not lock_acquired:
LOGGER.debug(
"Failed to acquire lock for Kerberos sync, skipping task", source=source.slug
)
return
# Delete all sync tasks from the cache

authentik/authentik/sources/ldap/tasks.py

Lines 66 to 70 in 3748781

with source.sync_lock as lock_acquired:
if not lock_acquired:
LOGGER.debug("Failed to acquire lock for LDAP sync, skipping task", source=source.slug)
return
# Delete all sync tasks from the cache

authentik/authentik/lib/sync/outgoing/api.py

Lines 73 to 78 in 3748781

with provider.sync_lock as lock_acquired:
status = {
"tasks": tasks,
# If we could not acquire the lock, it means a task is using it, and thus is running
"is_running": not lock_acquired,
}

authentik/authentik/lib/sync/outgoing/tasks.py

Lines 80 to 83 in 3748781

with allow_join_result(), provider.sync_lock as lock_acquired:
if not lock_acquired:
self.logger.debug("Failed to acquire sync lock, skipping", provider=provider.name)
return

authentik/authentik/sources/kerberos/api/source.py

Lines 112 to 116 in 3748781

with source.sync_lock as lock_acquired:
status = {
"tasks": tasks,
"is_running": not lock_acquired,
}

authentik/authentik/sources/ldap/api.py

Lines 175 to 180 in 3748781

with source.sync_lock as lock_acquired:
status = {
"tasks": tasks,
# If we could not acquire the lock, it means a task is using it, and thus is running
"is_running": not lock_acquired,
}


Summary

Aside from the above mentioned code, I am not seeing anything else that has to do with Advisory locks. I am really hoping it would not be too difficult to be able to have a way to bypass the need for advisory locks for those that want to be able to run this on CockroachDB. And there did seem to be some interest in that based on the previous issue raised.
@brandan-schmitz brandan-schmitz added the enhancement New feature or request label May 19, 2025
@rissson
Copy link
Member

rissson commented May 19, 2025

That is unlikely to happen. Those locks are necessary for proper operation, and we'll be adding a bunch more with #13492 that will be used virtually everywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandan-schmitz @rissson