You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Davide Giannella (JIRA)" <ji...@apache.org> on 2018/11/06 10:29:05 UTC

[jira] [Closed] (OAK-7860) Make PermissionEntryCache more resilient against OOME

     [ https://issues.apache.org/jira/browse/OAK-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Davide Giannella closed OAK-7860.
---------------------------------

Bulk close 1.9.10

> Make PermissionEntryCache more resilient against OOME
> -----------------------------------------------------
>
>                 Key: OAK-7860
>                 URL: https://issues.apache.org/jira/browse/OAK-7860
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: core
>            Reporter: Alex Deparvu
>            Assignee: Alex Deparvu
>            Priority: Major
>             Fix For: 1.10, 1.9.10
>
>         Attachments: bench-patch-1,5,10.png, bench-patch-10,50,100.png, bench-trunk-1,5,10.png, bench-trunk-10,50,100-crash at 50.png
>
>
> The PermissionEntryProviderImpl (one instance per session) is responsible for serving the permission entries. It can be backed by 2 different types of caches:
> * the {{PathEntryMapCache}} which is simply a map that eagerly loads all existing permissions for a session (aka. set of principals). Used only if there are less than 250 total entries per session (all principals combined).
> * The {{DefaultPermissionCache}} backed by the {{PermissionEntryCache}}. this is the fallback for the cases where the above is too expensive to use.
> In some cases, even if the number of permission entries per principal is not too large, a session that accumulates large numbers of group principals (I've seen over 700 in one internal case), will always fallback to use the {{PermissionEntryCache}}.
> The {{PermissionEntryCache}} is a cache that is using the principal as a key and the permission entries as values. It is aggregating 2 different types of data:
> * Existing policies: maps principals to paths with (their) existing policies (regular cache stuff)
> * but it also retains paths without any relevant policies for the current session, as empty sets [0]. being a cache keyed on the 'principal', this placeholder for empty policies will be set for each principal.
> I believe this second part can be responsible for a large memory footprint, which can also be amplified by the very large number of principals in the session.
> I would like to propose separating the 2 sets contained in the cache, putting the non-relevant paths in a dedicated map with a fixed size.
> [0] https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionEntryCache.java#L74



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)