Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-9729

Shrink inWriteLock time in SimpleAuthorizer



    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1.0
    • Fix Version/s: 2.6.0
    • Component/s: security
    • Labels:


      Current SimpleAuthorizer needs 'inWriteLock' when processing add/remove acls requests, while getAcls in authorize() needs 'inReadLock'.
      That means handling add/remove acls requests would block all other requests for example produce and fetch requests.
      When processing add/remove acls, updateResourceAcls() access zk to update acls, which could be long in the case like network glitch.
      We did the simulation for zk delay.
      When adding 100ms delay on zk side, 'inWriteLock' in addAcls()/removeAcls lasts for 400ms~500ms.
      When adding 500ms delay on zk side, 'inWriteLock' in addAcls()/removeAcls lasts for 2000ms~2500ms.

      override def addAcls(acls: Set[Acl], resource: Resource) {
        if (acls != null && acls.nonEmpty) {
          inWriteLock(lock) {
            val startMs = Time.SYSTEM.milliseconds()
            updateResourceAcls(resource) { currentAcls =>
              currentAcls ++ acls
            warn(s"inWriteLock in addAcls consumes ${Time.SYSTEM.milliseconds() - startMs} milliseconds.")

      Blocking produce/fetch requests for 2s would cause apparent performance degradation for the whole cluster.
      So considering is it possible to remove 'inWriteLock' in addAcls/removeAcls and only put 'inWriteLock' inside updateCache, which is called by addAcls/removeAcls. 

      // code placeholder
      private def updateCache(resource: Resource, versionedAcls: VersionedAcls) {
       if (versionedAcls.acls.nonEmpty) {
       aclCache.put(resource, versionedAcls)
       } else {

      If do this, block time is only the time for updating local cache, which isn't influenced by network glitch. But don't know if there were special concerns to have current strict write lock and not sure if there are side effects if only put lock to updateCache.

      Btw, the latest version uses 'inWriteLock' at same places as version 1.1.0.


          Issue Links



              • Assignee:
                lucasbradstreet Lucas Bradstreet
                Jiao-zhang Jiao Zhang
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: