Fix: Reuse shared OPA HTTP client#31
Merged
Merged
Conversation
NickLarsenNZ
approved these changes
Jul 2, 2026
NickLarsenNZ
left a comment
Member
There was a problem hiding this comment.
Approving this on the grounds that @Jimvin tested it.
He did ask:
What would be nice would be a way to configure the number of threads from the nificluster CR. At the moment the thread pool size is 32 by default, tuning this would be helpful.
This was referenced Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change replaces the OPA SDK's per-request HTTP transport with a shared
java.net.http.HttpClientAddressing #30The majority of this PR is based on the code provided by:
#30 (comment) - Thanks!! :)
Background
The existing SDK transport can create a new
HttpClientfor each authorisation request. Under NiFi load, this may create large numbers of selector and executor threads, eventually causing native thread exhaustion and errors such as:The new
PooledHttpClientreuses one HTTP client, connection pool, selector infrastructure, and fixed-size executor across OPA authorisation requests.Changes
Added a shared
PooledHttpClientimplementation.Configured a fixed-size daemon-thread executor.
Added configurable HTTP settings (
OPA_HTTP_POOL_SIZE, default32OPA_HTTP_CONNECT_TIMEOUT_MS, default2000OPA_HTTP_REQUEST_TIMEOUT_MS, default5000Preserved the URI reconstruction behavior used by the upstream OPA HTTP client.
Added validation for invalid or non-positive configuration values /defensive
Removed shared
dumpCachestate so cache invalidation is scoped to the current OPA response.Improved exception handling and fail-closed behavior.
Marked variables and fields as final where reassignment is not expected.
Configuration
Existing deployments do not need to add configuration because defaults are provided
Example:
At startup, the authoriser logs the active HTTP client configuration: