aws/credentials: Update Credentials cache to have less overhead

jasdel · jasdel · commit fd6cb236449b · 2018-06-06T13:19:03.000-07:00
Updates the Credentials type's cache of the CredentialsValue to be
synchronized with an atomic value in addition to the Mutex. This reduces
the overhead applications will encounter when many concurrent API
requests are being made.

Benchmarks of SafeCredentialsProvider.Retrieve improvements. This will
be the normal case until credentials expire. Each benchmark increases
the number of concurrent credential retrieves.

    benchmark                                                              old ns/op     new ns/op     delta
    BenchmarkSafeCredentialsProvider_Retrieve/1-4                          72.3          26.1          -63.90%
    BenchmarkSafeCredentialsProvider_Retrieve/10-4                         1055          121           -88.53%
    BenchmarkSafeCredentialsProvider_Retrieve/100-4                        15720         1216          -92.26%
    BenchmarkSafeCredentialsProvider_Retrieve/500-4                        65662         6194          -90.57%
    BenchmarkSafeCredentialsProvider_Retrieve/1000-4                       121962        12673         -89.61%
    BenchmarkSafeCredentialsProvider_Retrieve/10000-4                      9958536       127224        -98.72%

Benchmark of SafeCredentialsProvider.Retrieve with the credentials
periodically expiring.  The {rate}-{concurrent} benchmarks will expire
the credentials every {rate} attempts to get credentials, with
{concurrent} credential getters.

    benchmark                                                              old ns/op     new ns/op     delta
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/10000-1-4         223           171           -23.32%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/10000-10-4        1527          313           -79.50%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/10000-100-4       14528         1779          -87.75%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/10000-500-4       89016         7764          -91.28%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/10000-1000-4      151669        14048         -90.74%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/10000-10000-4     10024041      201702        -97.99%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/1000-1-4          1450          1423          -1.86%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/1000-10-4         3043          1483          -51.27%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/1000-100-4        24763         2956          -88.06%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/1000-500-4        68852         8801          -87.22%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/1000-1000-4       121360        15952         -86.86%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/1000-10000-4      2133773       177960        -91.66%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/100-1-4           13688         13012         -4.94%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/100-10-4          15560         13239         -14.92%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/100-100-4         35299         15879         -55.02%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/100-500-4         110204        20949         -80.99%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/100-1000-4        259354        31070         -88.02%
    BenchmarkSafeCredentialsProvider_Retrieve_Invalidate/100-10000-4       7847174       196509        -97.50%
diff --git a/aws/credentials.go b/aws/credentials.go
@@ -3,6 +3,7 @@ package aws
 import (
 	"math"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
@@ -85,7 +86,7 @@ type CredentialsProvider interface {
 type SafeCredentialsProvider struct {
 	RetrieveFn func() (Credentials, error)
 
-	creds Credentials
+	creds atomic.Value
 	m     sync.Mutex
 }
 
@@ -95,28 +96,45 @@ type SafeCredentialsProvider struct {
 //
 // Retruns and error if RetrieveFn returns an error.
 func (p *SafeCredentialsProvider) Retrieve() (Credentials, error) {
+	if creds := p.getCreds(); creds != nil {
+		return *creds, nil
+	}
+
 	p.m.Lock()
 	defer p.m.Unlock()
 
-	if p.creds.HasKeys() && !p.creds.Expired() {
-		return p.creds, nil
+	// Make sure another goroutine didn't already update the credentials.
+	if creds := p.getCreds(); creds != nil {
+		return *creds, nil
 	}
 
 	creds, err := p.RetrieveFn()
 	if err != nil {
 		return Credentials{}, err
 	}
+	p.creds.Store(&creds)
 
-	p.creds = creds
+	return creds, nil
+}
+
+func (p *SafeCredentialsProvider) getCreds() *Credentials {
+	v := p.creds.Load()
+	if v == nil {
+		return nil
+	}
 
-	return p.creds, nil
+	c := v.(*Credentials)
+	if c != nil && c.HasKeys() && !c.Expired() {
+		return c
+	}
+
+	return nil
 }
 
 // Invalidate will invalidate the cached credentials. The next call to Retrieve
 // will cause RetrieveFn to be called.
 func (p *SafeCredentialsProvider) Invalidate() {
 	p.m.Lock()
-	defer p.m.Unlock()
-
-	p.creds = Credentials{}
+	p.creds.Store((*Credentials)(nil))
+	p.m.Unlock()
 }
diff --git a/aws/credentials_bench_test.go b/aws/credentials_bench_test.go
@@ -0,0 +1,87 @@
+package aws
+
+import (
+	"fmt"
+	"strconv"
+	"sync"
+	"testing"
+	"time"
+)
+
+func BenchmarkSafeCredentialsProvider_Retrieve(b *testing.B) {
+	retrieveFn := func() (Credentials, error) {
+		return Credentials{
+			AccessKeyID:     "key",
+			SecretAccessKey: "secret",
+			Source:          "benchmark",
+		}, nil
+	}
+
+	cases := []int{1, 10, 100, 500, 1000, 10000}
+	for _, c := range cases {
+		b.Run(strconv.Itoa(c), func(b *testing.B) {
+			p := SafeCredentialsProvider{
+				RetrieveFn: retrieveFn,
+			}
+			var wg sync.WaitGroup
+			wg.Add(c)
+			for i := 0; i < c; i++ {
+				go func() {
+					for j := 0; j < b.N; j++ {
+						v, err := p.Retrieve()
+						if err != nil {
+							b.Fatalf("expect no error %v, %v", v, err)
+						}
+					}
+					wg.Done()
+				}()
+			}
+			b.ResetTimer()
+
+			wg.Wait()
+		})
+	}
+}
+
+func BenchmarkSafeCredentialsProvider_Retrieve_Invalidate(b *testing.B) {
+	retrieveFn := func() (Credentials, error) {
+		time.Sleep(time.Millisecond)
+		return Credentials{
+			AccessKeyID:     "key",
+			SecretAccessKey: "secret",
+			Source:          "benchmark",
+		}, nil
+	}
+
+	expRates := []int{10000, 1000, 100}
+	cases := []int{1, 10, 100, 500, 1000, 10000}
+	for _, expRate := range expRates {
+		for _, c := range cases {
+			b.Run(fmt.Sprintf("%d-%d", expRate, c), func(b *testing.B) {
+				p := SafeCredentialsProvider{
+					RetrieveFn: retrieveFn,
+				}
+				var wg sync.WaitGroup
+				wg.Add(c)
+				for i := 0; i < c; i++ {
+					go func(id int) {
+						for j := 0; j < b.N; j++ {
+							v, err := p.Retrieve()
+							if err != nil {
+								b.Fatalf("expect no error %v, %v", v, err)
+							}
+							// periodically expire creds to cause rwlock
+							if id == 0 && j%expRate == 0 {
+								p.Invalidate()
+							}
+						}
+						wg.Done()
+					}(i)
+				}
+				b.ResetTimer()
+
+				wg.Wait()
+			})
+		}
+	}
+}
