Skip to content

feat: Cache BCrypt checkpw to enhance pinot query performance #9636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cxing wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: Cache BCrypt checkpw to enhance pinot query performance #9636

cxing wants to merge 2 commits into from

Conversation

@cxing
Copy link

@cxing cxing commented Oct 21, 2022

Instructions:

  1. The PR has to be tagged with at least one of the following labels (*):
    performance

  2. Purpose for this pull request:
    We found a performance issue from master pinot code
    When we use zk as user and password authorization we found this function spend about 80ms for verifying
    isMatch = BCrypt.checkpw(pasword, encrypedPassword)

    So this solution is to cache this function result to enhance query speed

  3. Here is testing result in our lab env:
    Original code need 85ms at least to query
    Fixed code need 1 - 10ms at least to query

  4. Related issues: Cache BCrypt checkpw to enahce query performance  #9632

@codecov-commenter
Copy link

codecov-commenter commented Oct 21, 2022
edited
Loading

Codecov Report

Merging #9636 (41edf22) into master (fafb518) will increase coverage by 40.55%.
The diff coverage is 0.00%.

@@              Coverage Diff              @@
##             master    #9636       +/-   ##
=============================================
+ Coverage     28.06%   68.61%   +40.55%     
- Complexity       53     4848     +4795     
=============================================
  Files          1935     1947       +12     
  Lines        103815   104182      +367     
  Branches      15757    15798       +41     
=============================================
+ Hits          29134    71486    +42352     
+ Misses        71808    27589    -44219     
- Partials       2873     5107     +2234
Flag Coverage Δ
integration1 25.86% <0.00%> (-0.05%) ⬇️
integration2 ?
unittests1 67.35% <0.00%> (?)
unittests2 15.71% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...broker/broker/ZkBasicAuthAccessControlFactory.java 0.00% <0.00%> (ø)
...common/config/provider/AccessControlUserCache.java 0.00% <0.00%> (ø)
...ava/org/apache/pinot/common/utils/BcryptUtils.java 0.00% <0.00%> (ø)
.../pinot/server/access/ZkBasicAuthAccessFactory.java 0.00% <0.00%> (ø)
...t/core/plan/StreamingInstanceResponsePlanNode.java 0.00% <0.00%> (-100.00%) ⬇️
...ore/operator/streaming/StreamingResponseUtils.java 0.00% <0.00%> (-100.00%) ⬇️
...server/starter/helix/SegmentReloadStatusValue.java 0.00% <0.00%> (-100.00%) ⬇️
...ager/realtime/PeerSchemeSplitSegmentCommitter.java 0.00% <0.00%> (-100.00%) ⬇️
...urces/ServerReloadControllerJobStatusResponse.java 0.00% <0.00%> (-100.00%) ⬇️
...he/pinot/common/utils/grpc/GrpcRequestBuilder.java 0.00% <0.00%> (-90.91%) ⬇️
... and 1396 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

walterddr
walterddr reviewed Oct 21, 2022
View reviewed changes
Copy link
Contributor

@walterddr walterddr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for the contribution. I haven't look at the cache logic but could we consolidate the 3 access control factory first? thank you!

pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java
Comment on lines +104 to +106
.filter(entry -> BcryptUtils.checkpwWithCache(entry.getKey(), entry.getValue().getPassword(),
_userCache.getUserPasswordAuthCache()))
.map(u -> u.getValue()).filter(Objects::nonNull).findFirst();
Copy link
Contributor

@walterddr walterddr Oct 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont know what's the relationship between this and the pinot-controller/src/main/java/org/apache/pinot/controller/api/access/ZkBasicAuthAccessControlFactory.java. please make sure both side are consistent

Copy link
Author

@cxing cxing Oct 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine , It would be clear to use ZkBasicAuthAccessFactory

Copy link
Contributor

@walterddr walterddr Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah please consolidate the usage into just one. this will make future maintenance easier

pinot-core/src/main/java/org/apache/pinot/server/access/ZkBasicAuthAccessFactory.java
.collect(Collectors.toMap(name2password::get, _name2principal::get));
return password2principal.entrySet().stream()
.filter(entry -> BcryptUtils.checkpw(entry.getKey(), entry.getValue().getPassword()))
.filter(entry -> BcryptUtils.checkpwWithCache(entry.getKey(), entry.getValue().getPassword(),
Copy link
Contributor

@walterddr walterddr Oct 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

name it consistent with the broker one.
also why do we need 3? can't we just keep one in core?

Copy link
Author

@cxing cxing Oct 23, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx for review, Do you means we need merge
org.apache.pinot.controller.api.access.ZkBasicAuthAccessControlFactory
org.apache.pinot.broker.broker.ZkBasicAuthAccessControlFactory
to
org.apache.pinot.server.access.ZkBasicAuthAccessFactory as hole project ZkBasicAuthAccessFactory

for Controller, broker and server nodes

Copy link
Contributor

@walterddr walterddr Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes unless there's a specific reason controll/broker/server needs 3 different auth factory (and cannot be achieved via config differences)

Copy link
Author

@cxing cxing Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx @walterddr But if we need to merge controller, broker, server ZkBasicAuthAccessFactory,

Should we merge user and password for controller, broker, server nodes as well?
In other words controller, broker and server nodes should use same user and password for hole pinot cluster

@cxing @walterddr
Update pinot-common/src/main/java/org/apache/pinot/common/config/prov…
41edf22 
…ider/AccessControlUserCache.java

Co-authored-by: Rong Rong <rongr@apache.org>
@Jackie-Jiang
Copy link
Contributor

Jackie-Jiang commented Oct 25, 2022

Thanks for the contribution! Please reformat the changes with Pinot Style

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@walterddr walterddr walterddr left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

performance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cxing @codecov-commenter @Jackie-Jiang @walterddr