A note about mod_shib2 and mod_http2

[Cantor, Scott]

On 8/18/17, 10:41 PM, "users on behalf of Jacob Lundberg" <users-bounces at shibboleth.net on behalf of jacob at collegenet.com> wrote:

> What we change most often is attribute mappings.

That's certainly not a concern in general, though it isn't reloadable by default now. If you're not using headers and sticking to request variables, you could actually make that reloadable and since you're not touching the main config file, you might not trigger the locking bug. If you are using headers, then there are some considerations that require Apache be at least reloaded (and due to the locking bug, probably restarted), so that's another good reason to avoid headers.

> Yes, I agree, those who wrote the Shibboleth software :) did not foresee some of the ways we
> are using it.  I don't mean to start an argument here about whether we
> "should" use the software in unintended ways.  I think that would be counterproductive.

It's not an argument, but it stands to reason that it's not going to work as well when it's used in ways that weren't designed to scale, that's all. In the case of metadata, I'm just proposing alternatives that *are* designed to scale better.

When somebody says their system takes 10 minutes to start up, I'm not going to ignore that. *That* is the most important problem to address. I would never expect anybody to see that as acceptable. If the issue is in a part of the system that really should be working better then I would want to know that it's not. If it's something that I just didn't try to support (e.g. 100 metadata sources), then at least I know what the source of the problem is. And of course if it's because of a large metadata file, it's simply a known/unfixable problem for which the fix is on-demand metadata.
 
-- Scott