[
https://issues.apache.org/jira/browse/KAFKA-20651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ibenchhida updated KAFKA-20651:
-------------------------------
Description:
kafkaPrincipal() is called frequently during authorization (once per matching
ACL). Each call parses the principal string and allocates a new KafkaPrincipal
object.
This adds a ConcurrentHashMap<String, KafkaPrincipal> cache to avoid redundant
parsing and allocation. The cache is bounded by the number of distinct
principal strings in the ACL store (typically orders of magnitude smaller than
total ACL count).
was:
{{StandardAuthorizerData.findAclRule}} and {{checkSection}} perform linear
scans over the global ACL set ({{{}aclsByResource{}}}) for each authorization
request.
With large ACL datasets (e.g. ~7000 ACLs), this results in excessive CPU usage
due to repeated evaluation of irrelevant ACLs for a given principal.
The current design filters ACLs by principal only at evaluation time
({{{}findResult{}}}), instead of narrowing the search space earlier.
> Cache parsed KafkaPrincipal in StandardAcl.kafkaPrincipal()
> -----------------------------------------------------------
>
> Key: KAFKA-20651
> URL: https://issues.apache.org/jira/browse/KAFKA-20651
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 3.9.2
> Environment: KRaft clusters using StandardAuthorizer (3.4.0+)
> Reporter: ibenchhida
> Priority: Critical
> Labels: authorization, performance
>
> kafkaPrincipal() is called frequently during authorization (once per matching
> ACL). Each call parses the principal string and allocates a new
> KafkaPrincipal object.
> This adds a ConcurrentHashMap<String, KafkaPrincipal> cache to avoid
> redundant parsing and allocation. The cache is bounded by the number of
> distinct principal strings in the ACL store (typically orders of magnitude
> smaller than total ACL count).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
