Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-9729

Shrink inWriteLock time in SimpleAuthorizer

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1.0
    • Fix Version/s: 2.6.0
    • Component/s: security
    • Labels:
      None

      Description

      Current SimpleAuthorizer needs 'inWriteLock' when processing add/remove acls requests, while getAcls in authorize() needs 'inReadLock'.
      That means handling add/remove acls requests would block all other requests for example produce and fetch requests.
      When processing add/remove acls, updateResourceAcls() access zk to update acls, which could be long in the case like network glitch.
      We did the simulation for zk delay.
      When adding 100ms delay on zk side, 'inWriteLock' in addAcls()/removeAcls lasts for 400ms~500ms.
      When adding 500ms delay on zk side, 'inWriteLock' in addAcls()/removeAcls lasts for 2000ms~2500ms.

      override def addAcls(acls: Set[Acl], resource: Resource) {
        if (acls != null && acls.nonEmpty) {
          inWriteLock(lock) {
            val startMs = Time.SYSTEM.milliseconds()
            updateResourceAcls(resource) { currentAcls =>
              currentAcls ++ acls
            }
            warn(s"inWriteLock in addAcls consumes ${Time.SYSTEM.milliseconds() - startMs} milliseconds.")
          }
        }
      }

      Blocking produce/fetch requests for 2s would cause apparent performance degradation for the whole cluster.
      So considering is it possible to remove 'inWriteLock' in addAcls/removeAcls and only put 'inWriteLock' inside updateCache, which is called by addAcls/removeAcls. 

      // code placeholder
      private def updateCache(resource: Resource, versionedAcls: VersionedAcls) {
       if (versionedAcls.acls.nonEmpty) {
       aclCache.put(resource, versionedAcls)
       } else {
       aclCache.remove(resource)
       }
       }
      

      If do this, block time is only the time for updating local cache, which isn't influenced by network glitch. But don't know if there were special concerns to have current strict write lock and not sure if there are side effects if only put lock to updateCache.

      Btw, the latest version uses 'inWriteLock' at same places as version 1.1.0.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lucasbradstreet Lucas Bradstreet
                Reporter:
                Jiao-zhang Jiao Zhang
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: