[ https://issues.apache.org/jira/browse/KAFKA-5261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16014945#comment-16014945 ]
Stephane Maarek commented on KAFKA-5261: ---------------------------------------- this and possibly {code} private def aclMatch(session: Session, operations: Operation, resource: Resource, principal: KafkaPrincipal, host: String, permissionType: PermissionType, acls: Set[Acl]): Boolean = { acls.find { acl => acl.permissionType == permissionType && (acl.principal == principal || acl.principal == Acl.WildCardPrincipal) && (operations == acl.operation || acl.operation == All) && (acl.host == host || acl.host == Acl.WildCardHost) }.exists { acl => authorizerLogger.debug(s"operation = $operations on resource = $resource from host = $host is $permissionType based on acl = $acl") true } } {code} In case acls is big, that could be costly to do over and over again > Performance improvement of SimpleAclAuthorizer > ---------------------------------------------- > > Key: KAFKA-5261 > URL: https://issues.apache.org/jira/browse/KAFKA-5261 > Project: Kafka > Issue Type: Improvement > Affects Versions: 0.10.2.1 > Reporter: Stephane Maarek > > Currently, looking at the KafkaApis class, it seems that every request going > through Kafka is also going through an authorize check: > {code} > private def authorize(session: Session, operation: Operation, resource: > Resource): Boolean = > authorizer.forall(_.authorize(session, operation, resource)) > {code} > The SimpleAclAuthorizer logic runs through checks which all look to be done > in linear time (except on first run) proportional to the number of acls on a > specific resource. This operation is re-run every time a client tries to use > a Kafka Api, especially on the very often called `handleProducerRequest` and > `handleFetchRequest` > I believe a cache could be built to store the result of the authorize call, > possibly allowing more expensive authorize() calls to happen, and reducing > greatly the CPU usage in the long run. The cache would be invalidated every > time a change happens to aclCache > Thoughts before I try giving it a go with a PR? -- This message was sent by Atlassian JIRA (v6.3.15#6346)