Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-7860

Make PermissionEntryCache more resilient against OOME

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.10.0, 1.9.10
    • Component/s: core
    • Labels:
      None

      Description

      The PermissionEntryProviderImpl (one instance per session) is responsible for serving the permission entries. It can be backed by 2 different types of caches:

      • the PathEntryMapCache which is simply a map that eagerly loads all existing permissions for a session (aka. set of principals). Used only if there are less than 250 total entries per session (all principals combined).
      • The DefaultPermissionCache backed by the PermissionEntryCache. this is the fallback for the cases where the above is too expensive to use.

      In some cases, even if the number of permission entries per principal is not too large, a session that accumulates large numbers of group principals (I've seen over 700 in one internal case), will always fallback to use the PermissionEntryCache.

      The PermissionEntryCache is a cache that is using the principal as a key and the permission entries as values. It is aggregating 2 different types of data:

      • Existing policies: maps principals to paths with (their) existing policies (regular cache stuff)
      • but it also retains paths without any relevant policies for the current session, as empty sets [0]. being a cache keyed on the 'principal', this placeholder for empty policies will be set for each principal.
        I believe this second part can be responsible for a large memory footprint, which can also be amplified by the very large number of principals in the session.

      I would like to propose separating the 2 sets contained in the cache, putting the non-relevant paths in a dedicated map with a fixed size.

      [0] https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryCache.java#L74

        Attachments

        1. bench-patch-1,5,10.png
          393 kB
          Alex Deparvu
        2. bench-patch-10,50,100.png
          348 kB
          Alex Deparvu
        3. bench-trunk-1,5,10.png
          328 kB
          Alex Deparvu
        4. bench-trunk-10,50,100-crash at 50.png
          167 kB
          Alex Deparvu

          Issue Links

            Activity

              People

              • Assignee:
                stillalex Alex Deparvu
                Reporter:
                stillalex Alex Deparvu
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: