Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-5261

Performance improvement of SimpleAclAuthorizer

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.10.2.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Currently, looking at the KafkaApis class, it seems that every request going through Kafka is also going through an authorize check:

        private def authorize(session: Session, operation: Operation, resource: Resource): Boolean =
          authorizer.forall(_.authorize(session, operation, resource))
      

      The SimpleAclAuthorizer logic runs through checks which all look to be done in linear time (except on first run) proportional to the number of acls on a specific resource. This operation is re-run every time a client tries to use a Kafka Api, especially on the very often called `handleProducerRequest` and `handleFetchRequest`

      I believe a cache could be built to store the result of the authorize call, possibly allowing more expensive authorize() calls to happen, and reducing greatly the CPU usage in the long run. The cache would be invalidated every time a change happens to aclCache

      Thoughts before I try giving it a go with a PR?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                stephane.maarek@gmail.com Stephane Maarek
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: