You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Sönke Liebau (JIRA)" <ji...@apache.org> on 2018/02/25 21:34:00 UTC
[jira] [Created] (KAFKA-6591) Move check for super user in
SimpleAclProvider before ACL evaluation
Sönke Liebau created KAFKA-6591:
-----------------------------------
Summary: Move check for super user in SimpleAclProvider before ACL evaluation
Key: KAFKA-6591
URL: https://issues.apache.org/jira/browse/KAFKA-6591
Project: Kafka
Issue Type: Improvement
Components: core, security
Affects Versions: 1.0.0
Reporter: Sönke Liebau
Assignee: Sönke Liebau
Currently the check whether a user as a super user in SimpleAclAuthorizer is [performed only after all other ACLs have been evaluated|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala#L124]. Since all requests from a super user are granted we don't really need to apply the ACLs.
I believe this is unnecessary effort that could easily be avoided. I've rigged a small test that created 1000 ACLs for a topic and performed a million authorize calls with a principal that was a super user but didn't match any ACLs.
The implementation from trunk took 43 seconds, whereas a version with the super user check moved up only took half a second. Granted, this is a constructed case, but the effects will be the same, if less pronounced for setups with fewer rules.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)