acl_store: Return prefix matches as a view #17152
Conversation
oleiman
force-pushed
the
security/acl-store-alloc
branch
3 times, most recently
from
6703782
to
cc8fd02
Compare
|
/dt |
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e5303-a45f-4eeb-a347-a21a6f959733 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e5303-a454-4703-b894-229c25082dc5 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e53c4-6f4e-406c-8b8d-fb68583a21db ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e53c4-6f59-46c1-934a-68f27b541722 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46577#018e6239-67f3-4841-beb4-6da20c4f7679 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46577#018e624b-6761-4629-b60f-54b95b80a883 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46595#018e639c-c303-4eaa-8034-42e186084ef2 |
oleiman
force-pushed
the
security/acl-store-alloc
branch
3 times, most recently
from
22b394a
to
4b6ce35
Compare
| template<typename RefT> | ||
| static auto get_prefix_view( |
There was a problem hiding this comment.
Do we need to warn users of this interface about any invalidation foot-guns since presumably they are not only hanging on to references into entries in the container, but now also iterators?
There was a problem hiding this comment.
Ugh, yeah that's a great point. This usage should be safe -- call chain has exactly one consumer (authorizer::authorized) and no yield points -- but stern comments here and on acl_store::find definitely a good idea.
There was a problem hiding this comment.
i figured this was probably the case most of the acl/security code is in non-futurized code paths. but holding these across co_awaits is a constant footgun we encounter.
There was a problem hiding this comment.
Indeed. Also I had btree_map erroneously filed away as iter stable. Thankfully reminded that's not the case in core panda the other day!
src/v/security/role.cc
Outdated
| return _members_store; | ||
| }); | ||
| }) | ||
| | std::views::filter(std::forward<decltype(pred)>(pred)) |
There was a problem hiding this comment.
confused about this one. it looks like you want std::move(pred) here without the forwarding?
| template auth_result authorizer::authorized( | ||
| const kafka::transactional_id&, | ||
| acl_operation, | ||
| const acl_principal&, | ||
| const acl_host&) const; |
This shaves a whole allocation off of each call to `authorizer::authorized` both with and without roles. The major consequence of this is that `acl_store.h` is included (transitively via `authorizer.h`) in many places, so we're bleeding range view templates throughout the source tree. Subsequent commits seek to isolate those templates by breaking header dependencies. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
And explicitly instantiate, since the set of resource types is bounded and small. This breaks a rather large dependency on `role_store.h` throughout the source tree. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
oleiman
force-pushed
the
security/acl-store-alloc
branch
from
4b6ce35
to
9f7777a
Compare
|
force push some comments and correct a perfect forward to a move in |
|
changes look good |
|
new failures in https://buildkite.com/redpanda/redpanda/builds/46595#018e639c-c2fe-44eb-a5cf-f9966cc97ba7: |
| @@ -188,8 +142,103 @@ class acl_store { | |||
| } | |||
| }; | |||
|
|
|||
| absl::btree_map<resource_pattern, acl_entry_set, resource_pattern_compare> | |||
| _acls; | |||
| using container_type = absl:: | |||
There was a problem hiding this comment.
nitpick: This commit would have been easier to review it was split into two steps:
- Pure refactor (code movement)
- Behaviour change
There was a problem hiding this comment.
Yeah, I have several regrets about the structure of this PR. Sorry for time suck 😕
| @@ -28,6 +28,7 @@ v_cc_library( | |||
| krb5_configurator.cc | |||
| gssapi_principal_mapper.cc | |||
| role.cc | |||
| authorizer.cc | |||
There was a problem hiding this comment.
nitpick: I usually try to keep this list sorted.
| @@ -18,6 +18,9 @@ class authorizer; | |||
| class credential_store; | |||
| class ephemeral_credential_store; | |||
| class role_store; | |||
| class role; | |||
There was a problem hiding this comment.
nitpick: I usually try to keep this list sorted
src/v/security/acl_store.h
Outdated
| }; | ||
|
|
||
| /* | ||
| * A lightweight container of references to ACL entries. An instance of this |
There was a problem hiding this comment.
nitpick: * A lightweight view of ACL entries.
| role_name_view, /* role_name */ | ||
| std::function<const members_store_type&(void)>>& e, | ||
| const security::role_member& member) { | ||
| [](const role_accessor& e, const RoleMember auto& member) { | ||
| const auto [name, get_ms] = e; |
There was a problem hiding this comment.
nitpick: copy not required (I changed the std::function to an ss::noncopyable_function)
| const auto [name, get_ms] = e; | |
| const auto& [name, get_ms] = e; |
| @@ -16,9 +16,9 @@ | |||
| #include "model/fundamental.h" | |||
| #include "security/acl.h" | |||
| #include "security/acl_store.h" | |||
| #include "security/fwd.h" | |||
There was a problem hiding this comment.
nitpick: These don't seem to be required:
#include "kafka/types.h"
#include "model/fundamental.h"
#include <assert.h> | return auth_result::opt_acl_match( | ||
| principal, host, operation, resource_name, std::nullopt); | ||
| } | ||
| const acl_host& host) const; |
There was a problem hiding this comment.
suggestion: You could also move auth_result::operator<<
|
@BenPope - thanks for suggestions. I'm going to defer those to a fast follow to clear the log jam here. |
| for (auto& binding : bindings) { | ||
| auto& entries = _acls[binding.pattern()]; | ||
| entries.insert(binding.entry()); | ||
| entries.rehash(); |
There was a problem hiding this comment.
rehash after the loop? seems like rehashing after each insert could be an expensive thing?
There was a problem hiding this comment.
Sure. fwiw, I didn't introduce this, I think it just shows up in the diff because I ripped acl_entry_set and git is...git. But I have a stack of minor changes coming and can stick that on top.
There was a problem hiding this comment.
yeh nbd, just drive by noticing things. maybe i had added this long ago?
There was a problem hiding this comment.
Ya, I assume it was from the OG implementation. I looked at it again and I think we'd need a container or something to keep track of which entries matched, so maybe not much to be gained anyway
This PR refactors acl_store slightly to return prefix ACL matches as a view. This saves a vector allocation on the authZ path.
Also breaks some header dependencies in an effort to isolate view templates to the specific compilation units where they are needed.
Backports Required
Release Notes