Idea: transparent sharding of user-keyed SSO-enabled services
Currently we support sharding by publishing shard-specific URLs (e.g. https://2.webmail.my.domain). This is a very simple and efficient approach, but it has a few disadvantages:
- the sharding structure is exposed publicly
- people might bookmark links etc. which become invalid on re-sharding
In order to support partitioned services directly in the HTTP router we have to solve the following problem: given a HTTP request, figure out which shard it should be sent to. In the general case of a complex service (where the answer isn't just in the URL itself) this is a complex problem, but the situation is different for user-partitioned, SSO-enabled services:
- the sharding key is also the username (or can be derived from it)
- the HTTP router has access to the SSO token (for this to be the case we would need to standardize all applications on using the same cookie name for SSO, but that's doable)
in this case, the HTTP router itself can look at the SSO token and route the request accordingly.
This will incur a performance overhead, as finding the backend from the username might require an RPC (a LDAP lookup, for instance), but this can be mitigated with a short-term cache. The implementation would require a new HTTP proxy layer (the alternative of writing a pile of LUA into nginx itself is not very appealing) co-hosted with nginx, like the sso-proxy. Such a proxy:
- would not perform SSO authentication itself (the backend application should do that)
- in fact it might not even validate the SSO token, just look at it
- in pseudo-code, its decision algorithm might look like this:
- unauthenticated request?
- send to a random backend (handles things like /sso_login etc)
- authenticated request?
- find backend from SSO username
- send to that backend
- unauthenticated request?
This would allow us to implement the above-mentioned "webmail" service like this:
- public URL is just https://webmail.my.domain
- we simply need to provide a username->backend lookup function