Skip to content
This repository has been archived by the owner on Jan 24, 2024. It is now read-only.

Optimize authorization by caching authorization results #1999

Merged
merged 6 commits into from
Aug 27, 2023
Merged

Optimize authorization by caching authorization results #1999

merged 6 commits into from
Aug 27, 2023

Conversation

BewareMyPower
Copy link
Collaborator

@BewareMyPower BewareMyPower commented Aug 23, 2023
edited
Loading

Motivation

To follow Kafka's behavior, KoP also performs authorization for each PRODUCE or FETCH request. If the custom authorization provider is slow to authorize produce or consume permissions, the performance will be impacted.

Modifications

Introduce caches for authorization:

  • PRODUCE: (topic, role) -> result
  • FETCH: (topic, role, group) -> result;

Add SlowAuthorizationTest to verify the producer and consumer won't be affected significantly by slow authorization.

Introduce two configs to configure the cache policy so that revoke permission can work:

  • kopAuthorizationCacheRefreshMs: the refresh timeout
  • kopAuthorizationCacheMaxCountPerConnection: the max cache size

Documentation

Check the box below.

Need to update docs?

  • doc-required

    (If you need help on updating docs, create a doc issue)

  • no-need-doc

    (Please explain why)

  • doc

    (If this PR contains doc changes)

@BewareMyPower
Optimize authorization by caching authorization results
45db3ed 
### Motivation

To follow Kafka's behavior, KoP also performs authorization for each
PRODUCE or FETCH request. If the custom authorization provider is slow
to authorize produce or consume permissions, the performance will be
impacted.

### Modifications

Introduce caches for authorization:
- PRODUCE: (topic, role) -> result
- FETCH: (topic, role, group) -> result;

Add `SlowAuthorizationTest` to verify the producer and consumer won't be
affected significantly by slow authorization.
@BewareMyPower BewareMyPower added the type/enhancement Indicates an improvement to an existing feature label Aug 23, 2023
@BewareMyPower BewareMyPower self-assigned this Aug 23, 2023
@github-actions github-actions bot added the no-need-doc This pr does not need any document label Aug 23, 2023
@BewareMyPower BewareMyPower marked this pull request as draft August 24, 2023 00:30
@BewareMyPower BewareMyPower marked this pull request as ready for review August 24, 2023 04:08
@codecov
Copy link

codecov bot commented Aug 24, 2023
edited
Loading

Codecov Report

Merging #1999 (9ba3925) into master (5193592) will increase coverage by 0.03%.
The diff coverage is 25.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #1999      +/-   ##
============================================
+ Coverage     17.03%   17.06%   +0.03%     
- Complexity      727      731       +4     
============================================
  Files           191      191              
  Lines         14251    14277      +26     
  Branches       1337     1340       +3     
============================================
+ Hits           2428     2437       +9     
- Misses        11646    11663      +17     
  Partials        177      177
Files Changed Coverage Δ
...andlers/kop/security/auth/SimpleAclAuthorizer.java 0.00% <0.00%> (ø)
...pulsar/handlers/kop/KafkaServiceConfiguration.java 76.34% <70.00%> (-0.37%) ⬇️

... and 1 file with indirect coverage changes

@BewareMyPower
Copy link
Collaborator Author

@Demogorgon314 Done.

@BewareMyPower BewareMyPower merged commit 9ab8411 into streamnative:master Aug 27, 2023
19 checks passed
@BewareMyPower BewareMyPower deleted the bewaremypower/authz-optimization branch August 27, 2023 10:56
Demogorgon314 pushed a commit to Demogorgon314/kop that referenced this pull request Oct 30, 2023
@BewareMyPower
Optimize authorization by caching authorization results (streamnative…
72488e9 
…#1999) (streamnative#127)

### Motivation

To follow Kafka's behavior, KoP also performs authorization for each
PRODUCE or FETCH request. If the custom authorization provider is slow
to authorize produce or consume permissions, the performance will be
impacted.

### Modifications

Introduce caches for authorization:
- PRODUCE: (topic, role) -> result
- FETCH: (topic, role, group) -> result;

Add `SlowAuthorizationTest` to verify the producer and consumer won't be
affected significantly by slow authorization.

Introduce two configs to configure the cache policy so that revoke
permission can work:
- kopAuthorizationCacheRefreshMs: the refresh timeout
- kopAuthorizationCacheMaxCountPerConnection: the max cache size

(cherry picked from commit 9ab8411)
Demogorgon314 pushed a commit to Demogorgon314/kop that referenced this pull request Nov 28, 2023
@BewareMyPower
Optimize authorization by caching authorization results (streamnative…
7f739a1 
…#1999)

### Motivation

To follow Kafka's behavior, KoP also performs authorization for each
PRODUCE or FETCH request. If the custom authorization provider is slow
to authorize produce or consume permissions, the performance will be
impacted.

### Modifications

Introduce caches for authorization:
- PRODUCE: (topic, role) -> result
- FETCH: (topic, role, group) -> result;

Add `SlowAuthorizationTest` to verify the producer and consumer won't be
affected significantly by slow authorization.

Introduce two configs to configure the cache policy so that revoke
permission can work:
- kopAuthorizationCacheRefreshMs: the refresh timeout
- kopAuthorizationCacheMaxCountPerConnection: the max cache size

(cherry picked from commit 9ab8411)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Demogorgon314 Demogorgon314 Demogorgon314 approved these changes

Assignees

@BewareMyPower BewareMyPower

Labels
no-need-doc This pr does not need any document type/enhancement Indicates an improvement to an existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BewareMyPower @Demogorgon314