pgwire: limit concurrent updates to last_login_time

rafiss · rafiss · commit 76bf8cc0b9ff · 2025-07-31T15:08:15.000-04:00
This patch uses singleflight to ensure that each node only has one
request in flight for updating the last_login_time. If there already is
a request in flight, then that user is added to a set of pending users
to update, and their time gets populated in the next singleflight.

This will reduce write traffic to the system.users table.

This includes a minor refactor to separate the login_time updating logic
into a separate component.

Release note: None
diff --git a/pkg/sql/pgwire/BUILD.bazel b/pkg/sql/pgwire/BUILD.bazel
@@ -12,6 +12,7 @@ go_library(
         "conn.go",
         "hba_conf.go",
         "ident_map_conf.go",
+        "last_login_updater.go",
         "pre_serve.go",
         "pre_serve_options.go",
         "role_mapper.go",
@@ -81,6 +82,7 @@ go_library(
         "//pkg/util/ring",
         "//pkg/util/stop",
         "//pkg/util/syncutil",
+        "//pkg/util/syncutil/singleflight",
         "//pkg/util/system",
         "//pkg/util/timeofday",
         "//pkg/util/timeutil",
diff --git a/pkg/sql/pgwire/auth.go b/pkg/sql/pgwire/auth.go
@@ -90,14 +90,17 @@ type authOptions struct {
 // authentication and update c.sessionArgs with the authenticated user's name,
 // if different from the one given initially.
 func (c *conn) handleAuthentication(
-	ctx context.Context, ac AuthConn, authOpt authOptions, execCfg *sql.ExecutorConfig,
+	ctx context.Context, ac AuthConn, authOpt authOptions, server *Server,
 ) (connClose func(), _ error) {
 	if authOpt.testingSkipAuth {
 		return nil, nil
 	}
 	if authOpt.testingAuthHook != nil {
 		return nil, authOpt.testingAuthHook(ctx)
 	}
+	// Get execCfg from the server.
+	execCfg := server.execCfg
+
 	// To book-keep the authentication start time.
 	authStartTime := timeutil.Now()
 
@@ -278,28 +281,11 @@ func (c *conn) handleAuthentication(
 	duration := timeutil.Since(authStartTime).Nanoseconds()
 	c.publishConnLatencyMetric(duration, hbaEntry.Method.String())
 
-	c.populateLastLoginTime(ctx, execCfg, dbUser)
+	server.lastLoginUpdater.updateLastLoginTime(ctx, dbUser)
 
 	return connClose, nil
 }
 
-// populateLastLoginTime updates the last login time for the sql user
-// asynchronously. This not guaranteed to succeed and we log any errors obtained
-// from the update transaction to the DEV channel.
-func (c *conn) populateLastLoginTime(
-	ctx context.Context, execCfg *sql.ExecutorConfig, dbUser username.SQLUsername,
-) {
-	// Update last login time in async. This is done asynchronously to avoid
-	// blocking the connection.
-	if err := execCfg.Stopper.RunAsyncTask(ctx, "write_last_login_time", func(ctx context.Context) {
-		if err := sql.UpdateLastLoginTime(ctx, execCfg, dbUser.SQLIdentifier()); err != nil {
-			log.Warningf(ctx, "failed to update last login time for user %s: %v", dbUser, err)
-		}
-	}); err != nil {
-		log.Warningf(ctx, "failed to create async task to update last login time for user %s: %v", dbUser, err)
-	}
-}
-
 // publishConnLatencyMetric publishes the latency  of the connection
 // based on the authentication method.
 func (c *conn) publishConnLatencyMetric(duration int64, authMethod string) {
diff --git a/pkg/sql/pgwire/conn.go b/pkg/sql/pgwire/conn.go
@@ -151,7 +151,7 @@ func (c *conn) processCommands(
 	ctx context.Context,
 	authOpt authOptions,
 	ac AuthConn,
-	sqlServer *sql.Server,
+	server *Server,
 	reserved *mon.BoundAccount,
 	onDefaultIntSizeChange func(newSize int32),
 	sessionID clusterunique.ID,
@@ -175,7 +175,7 @@ func (c *conn) processCommands(
 		// network read on the connection's goroutine.
 		c.cancelConn()
 
-		pgwireKnobs := sqlServer.GetExecutorConfig().PGWireTestingKnobs
+		pgwireKnobs := server.SQLServer.GetExecutorConfig().PGWireTestingKnobs
 		if pgwireKnobs != nil && pgwireKnobs.CatchPanics {
 			if r := recover(); r != nil {
 				// Catch the panic and return it to the client as an error.
@@ -203,14 +203,14 @@ func (c *conn) processCommands(
 
 	// Authenticate the connection.
 	if connCloseAuthHandler, retErr = c.handleAuthentication(
-		ctx, ac, authOpt, sqlServer.GetExecutorConfig(),
+		ctx, ac, authOpt, server,
 	); retErr != nil {
 		// Auth failed or some other error.
 		return
 	}
 
 	var decrementConnectionCount func()
-	if decrementConnectionCount, retErr = sqlServer.IncrementConnectionCount(c.sessionArgs); retErr != nil {
+	if decrementConnectionCount, retErr = server.SQLServer.IncrementConnectionCount(c.sessionArgs); retErr != nil {
 		// This will return pgcode.TooManyConnections which is used by the sql proxy
 		// to skip failed auth throttle (as in this case the auth was fine but the
 		// error occurred before sending back auth ok msg)
@@ -224,7 +224,7 @@ func (c *conn) processCommands(
 	}
 
 	// Inform the client of the default session settings.
-	connHandler, retErr = c.sendInitialConnData(ctx, sqlServer, onDefaultIntSizeChange, sessionID)
+	connHandler, retErr = c.sendInitialConnData(ctx, server.SQLServer, onDefaultIntSizeChange, sessionID)
 	if retErr != nil {
 		return
 	}
@@ -250,7 +250,7 @@ func (c *conn) processCommands(
 
 	// Now actually process commands.
 	reservedOwned = false // We're about to pass ownership away.
-	retErr = sqlServer.ServeConn(
+	retErr = server.SQLServer.ServeConn(
 		ctx,
 		connHandler,
 		reserved,
diff --git a/pkg/sql/pgwire/last_login_updater.go b/pkg/sql/pgwire/last_login_updater.go
@@ -0,0 +1,106 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package pgwire
+
+import (
+	"context"
+
+	"github.com/cockroachdb/cockroach/pkg/security/username"
+	"github.com/cockroachdb/cockroach/pkg/sql"
+	"github.com/cockroachdb/cockroach/pkg/util/log"
+	"github.com/cockroachdb/cockroach/pkg/util/syncutil"
+	"github.com/cockroachdb/cockroach/pkg/util/syncutil/singleflight"
+)
+
+// lastLoginUpdater handles updating the last login time for SQL users with
+// deduplication via singleflight to reduce concurrent updates.
+type lastLoginUpdater struct {
+	// group ensures that there is at most one last login time update
+	// in-flight at any given time.
+	group *singleflight.Group
+	// execCfg is the executor configuration used for running update operations.
+	execCfg *sql.ExecutorConfig
+
+	mu struct {
+		syncutil.Mutex
+		// pendingUsers tracks users that need their last login time updated
+		// in the next singleflight operation.
+		pendingUsers map[username.SQLUsername]struct{}
+	}
+}
+
+// newLastLoginUpdater creates a new lastLoginUpdater instance.
+func newLastLoginUpdater(execCfg *sql.ExecutorConfig) *lastLoginUpdater {
+	u := &lastLoginUpdater{
+		group:   singleflight.NewGroup("update last login time", ""),
+		execCfg: execCfg,
+	}
+	u.mu.pendingUsers = make(map[username.SQLUsername]struct{})
+	return u
+}
+
+// updateLastLoginTime updates the last login time for the SQL user
+// asynchronously. This is not guaranteed to succeed and we log any errors
+// obtained from the update transaction to the DEV channel.
+func (u *lastLoginUpdater) updateLastLoginTime(ctx context.Context, dbUser username.SQLUsername) {
+	// Avoid updating if we're in a read-only tenant.
+	if u.execCfg.TenantReadOnly {
+		return
+	}
+
+	// Use singleflight to ensure at most one last login time update batch
+	// is in-flight at any given time.
+	future, leader := u.group.DoChan(ctx, "UpdateLastLoginTime",
+		singleflight.DoOpts{
+			Stop:               u.execCfg.Stopper,
+			InheritCancelation: false,
+		},
+		func(ctx context.Context) (interface{}, error) {
+			// The leader adds itself to pending users, and processes all
+			// pending updates.
+			u.mu.Lock()
+			u.mu.pendingUsers[dbUser] = struct{}{}
+			u.mu.Unlock()
+			return nil, u.processPendingUpdates(ctx)
+		})
+
+	// Add this user to the pending set if not the leader,
+	if !leader {
+		u.mu.Lock()
+		u.mu.pendingUsers[dbUser] = struct{}{}
+		u.mu.Unlock()
+	} else {
+		// Leader waits for the result in an async task to avoid blocking authentication
+		if err := u.execCfg.Stopper.RunAsyncTask(ctx, "wait_last_login_update", func(ctx context.Context) {
+			result := future.WaitForResult(ctx)
+			if result.Err != nil {
+				log.Warningf(ctx, "could not update last login times: %v", result.Err)
+			}
+		}); err != nil {
+			log.Warningf(ctx, "could not create async task to wait for last login update: %v", err)
+		}
+	}
+}
+
+// processPendingUpdates processes all users in the pending set and clears it.
+func (u *lastLoginUpdater) processPendingUpdates(ctx context.Context) error {
+	u.mu.Lock()
+	users := make([]username.SQLUsername, 0, len(u.mu.pendingUsers))
+	for user := range u.mu.pendingUsers {
+		users = append(users, user)
+	}
+	// Clear the pending users set.
+	u.mu.pendingUsers = make(map[username.SQLUsername]struct{})
+	u.mu.Unlock()
+
+	// Update last login time for all pending users.
+	for _, user := range users {
+		if err := sql.UpdateLastLoginTime(ctx, u.execCfg, user.SQLIdentifier()); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/pkg/sql/pgwire/server.go b/pkg/sql/pgwire/server.go
@@ -276,6 +276,10 @@ type Server struct {
 
 	destinationMetrics destinationAggMetrics
 
+	// lastLoginUpdater handles updating the last login time for SQL users
+	// with deduplication to reduce concurrent updates for the same user.
+	lastLoginUpdater *lastLoginUpdater
+
 	mu struct {
 		syncutil.Mutex
 		// connCancelMap entries represent connections started when the server
@@ -444,6 +448,7 @@ func MakeServer(
 			BytesInCount:  aggmetric.NewCounter(MetaBytesIn, "remote"),
 			BytesOutCount: aggmetric.NewCounter(MetaBytesOut, "remote"),
 		},
+		lastLoginUpdater: newLastLoginUpdater(executorConfig),
 	}
 	server.sqlMemoryPool = mon.NewMonitor(mon.Options{
 		Name: mon.MakeName("sql"),
@@ -1210,7 +1215,7 @@ func (s *Server) serveImpl(
 				ctx,
 				authOpt,
 				authPipe,
-				sqlServer,
+				s,
 				reserved,
 				onDefaultIntSizeChange,
 				sessionID,
