-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acl_store: Return prefix matches as a view #17152
Conversation
6703782
to
cc8fd02
Compare
/dt |
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e5303-a45f-4eeb-a347-a21a6f959733 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e5303-a454-4703-b894-229c25082dc5 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e53c4-6f4e-406c-8b8d-fb68583a21db ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46392#018e53c4-6f59-46c1-934a-68f27b541722 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46577#018e6239-67f3-4841-beb4-6da20c4f7679 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46577#018e624b-6761-4629-b60f-54b95b80a883 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46595#018e639c-c303-4eaa-8034-42e186084ef2 |
22b394a
to
4b6ce35
Compare
template<typename RefT> | ||
static auto get_prefix_view( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to warn users of this interface about any invalidation foot-guns since presumably they are not only hanging on to references into entries in the container, but now also iterators?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugh, yeah that's a great point. This usage should be safe -- call chain has exactly one consumer (authorizer::authorized
) and no yield points -- but stern comments here and on acl_store::find
definitely a good idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i figured this was probably the case most of the acl/security code is in non-futurized code paths. but holding these across co_awaits is a constant footgun we encounter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed. Also I had btree_map erroneously filed away as iter stable. Thankfully reminded that's not the case in core panda the other day!
src/v/security/role.cc
Outdated
return _members_store; | ||
}); | ||
}) | ||
| std::views::filter(std::forward<decltype(pred)>(pred)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
confused about this one. it looks like you want std::move(pred)
here without the forwarding?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah definitely.
template auth_result authorizer::authorized( | ||
const kafka::transactional_id&, | ||
acl_operation, | ||
const acl_principal&, | ||
const acl_host&) const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
header ❤️
This shaves a whole allocation off of each call to `authorizer::authorized` both with and without roles. The major consequence of this is that `acl_store.h` is included (transitively via `authorizer.h`) in many places, so we're bleeding range view templates throughout the source tree. Subsequent commits seek to isolate those templates by breaking header dependencies. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
And explicitly instantiate, since the set of resource types is bounded and small. This breaks a rather large dependency on `role_store.h` throughout the source tree. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
4b6ce35
to
9f7777a
Compare
force push some comments and correct a perfect forward to a move in |
changes look good |
new failures in https://buildkite.com/redpanda/redpanda/builds/46595#018e639c-c2fe-44eb-a5cf-f9966cc97ba7:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great
@@ -188,8 +142,103 @@ class acl_store { | |||
} | |||
}; | |||
|
|||
absl::btree_map<resource_pattern, acl_entry_set, resource_pattern_compare> | |||
_acls; | |||
using container_type = absl:: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: This commit would have been easier to review it was split into two steps:
- Pure refactor (code movement)
- Behaviour change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I have several regrets about the structure of this PR. Sorry for time suck 😕
@@ -28,6 +28,7 @@ v_cc_library( | |||
krb5_configurator.cc | |||
gssapi_principal_mapper.cc | |||
role.cc | |||
authorizer.cc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: I usually try to keep this list sorted.
@@ -18,6 +18,9 @@ class authorizer; | |||
class credential_store; | |||
class ephemeral_credential_store; | |||
class role_store; | |||
class role; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: I usually try to keep this list sorted
src/v/security/acl_store.h
Outdated
}; | ||
|
||
/* | ||
* A lightweight container of references to ACL entries. An instance of this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: * A lightweight view of ACL entries.
role_name_view, /* role_name */ | ||
std::function<const members_store_type&(void)>>& e, | ||
const security::role_member& member) { | ||
[](const role_accessor& e, const RoleMember auto& member) { | ||
const auto [name, get_ms] = e; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: copy not required (I changed the std::function
to an ss::noncopyable_function
)
const auto [name, get_ms] = e; | |
const auto& [name, get_ms] = e; |
@@ -16,9 +16,9 @@ | |||
#include "model/fundamental.h" | |||
#include "security/acl.h" | |||
#include "security/acl_store.h" | |||
#include "security/fwd.h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: These don't seem to be required:
#include "kafka/types.h"
#include "model/fundamental.h"
#include <assert.h>
return auth_result::opt_acl_match( | ||
principal, host, operation, resource_name, std::nullopt); | ||
} | ||
const acl_host& host) const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: You could also move auth_result::operator<<
@BenPope - thanks for suggestions. I'm going to defer those to a fast follow to clear the log jam here. |
for (auto& binding : bindings) { | ||
auto& entries = _acls[binding.pattern()]; | ||
entries.insert(binding.entry()); | ||
entries.rehash(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rehash after the loop? seems like rehashing after each insert could be an expensive thing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. fwiw, I didn't introduce this, I think it just shows up in the diff because I ripped acl_entry_set
and git is...git. But I have a stack of minor changes coming and can stick that on top.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeh nbd, just drive by noticing things. maybe i had added this long ago?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya, I assume it was from the OG implementation. I looked at it again and I think we'd need a container or something to keep track of which entries matched, so maybe not much to be gained anyway
This PR refactors acl_store slightly to return prefix ACL matches as a view. This saves a vector allocation on the authZ path.
Also breaks some header dependencies in an effort to isolate view templates to the specific compilation units where they are needed.
Backports Required
Release Notes