What is the ‘access_federation_log’ table used for and how it is being used?

Shai Ben-Zvi
2019-12-01 14:55


What is the 'access_federation_log' table used for and how it is being used?


Access Federation is a feature in Artifactory which provides control over Access to any global JFrog products.
It provides the ability to synchronize security entities between federated instances.

When using Access Federation to sync groups, users and permissions updates, there is a possibility that these changes will fail if:
1. A downtime/maintenance of specific instance occurs,
2. There is a network issue
3. Artifactory is having sync errors, etc..

If the sync action fails, we make sure to save the data of the event in the 'access_federation_log' table.

Access Federation has a retry mechanism – an interval of time until it will retry again to sync the groups in case of a failure. It will try 3 times to sync again. The 4th time will increase the interval and will repeat the (previous) 3 times interval.

The above mechanism, will be repeated until the event will be considered as stale.
By default, the time until an event become stale, is 168 hours (1 week) – this parameter (consider-stale-hours) is configurable in the Access config file and basically means the time (hours) the server can remain unresponsive before being considered stale.

The above is important because its related to the cleanup mechanism done against the 'access_federation_log' table. Another important property is 'delete-stale-events-factor' which defines how to multiply the 'consider-stale-hours' before deleting any federation events, even if the event was not sent.

This means that by default, the calculation should be as follow: 168 x 2 = 336 (2 weeks).
Which means that after 2 weeks, the cleanup job will occur and will clean 1 week of staled artifacts.

So in case some tuning is required to the 'access_federation_log' when the table is growing too quickly and consumes a lot of space, the above values can be tuned.