[jira] [Updated] (KAFKA-20651) StandardAuthorizer: cache KafkaPrincipal in StandardAcl to eliminate allocation hotspot

Mon, 01 Jun 2026 10:39:10 -0700 


     [ 
https://issues.apache.org/jira/browse/KAFKA-20651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ibenchhida updated KAFKA-20651:
-------------------------------
    Summary: StandardAuthorizer: cache KafkaPrincipal in StandardAcl to 
eliminate allocation hotspot  (was: StandardAuthorizerData.checkSection 
infinite loop when ACL resource name is a prefix of the queried resource)

> StandardAuthorizer: cache KafkaPrincipal in StandardAcl to eliminate 
> allocation hotspot
> ---------------------------------------------------------------------------------------
>
>                 Key: KAFKA-20651
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20651
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.9.2
>         Environment:  KRaft-based clusters using StandardAuthorizer (3.7.x, 
> 3.8.x, 3.9.x, 4.0.x — all versions with the current checkSection 
> implementation)
>            Reporter: ibenchhida
>            Priority: Critical
>
> *StandardAuthorizerData.checkSection()* can enter an infinite loop when 
> iterating over ACLs, causing request handler threads to spin at 100% CPU 
> indefinitely. The broker becomes unresponsive (metadata timeouts, file 
> descriptor leaks, memory growth) because the handler thread never returns.
> *Root Cause*
> The loop in checkSection iterates over a NavigableSet.tailSet(exemplar, true) 
> of sorted ACLs. It narrows the search range on each iteration by computing a 
> common prefix length (matchesUpTo) between the queried resource name and the 
> current ACL's resource name, then creating a new exemplar with that shortened 
> prefix.
> _The bug:_ When matchesUpTo equals the length of exemplar.resourceName() 
> (i.e., the queried resource is a prefix of the ACL resource name, e.g. 
> queried "foobar" vs ACL "foobar-A"), newPrefix = 
> exemplar.resourceName().substring(0, matchesUpTo) produces the same string as 
> the original exemplar. The subsequent tailSet(exemplar, true) restarts from 
> the same exemplar, and the first ACL in the iterator is the same one just 
> processed — infinite loop.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to