You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Sönke Liebau (JIRA)" <ji...@apache.org> on 2018/02/25 21:34:00 UTC

[jira] [Created] (KAFKA-6591) Move check for super user in SimpleAclProvider before ACL evaluation

Sönke Liebau created KAFKA-6591:
-----------------------------------

             Summary: Move check for super user in SimpleAclProvider before ACL evaluation
                 Key: KAFKA-6591
                 URL: https://issues.apache.org/jira/browse/KAFKA-6591
             Project: Kafka
          Issue Type: Improvement
          Components: core, security
    Affects Versions: 1.0.0
            Reporter: Sönke Liebau
            Assignee: Sönke Liebau


Currently the check whether a user as a super user in SimpleAclAuthorizer is [performed only after all other ACLs have been evaluated|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala#L124]. Since all requests from a super user are granted we don't really need to apply the ACLs.

I believe this is unnecessary effort that could easily be avoided. I've rigged a small test that created 1000 ACLs for a topic and performed a million authorize calls with a principal that was a super user but didn't match any ACLs.

The implementation from trunk took 43 seconds, whereas a version with the super user check moved up only took half a second. Granted, this is a constructed case, but the effects will be the same, if less pronounced for setups with fewer rules.





--
This message was sent by Atlassian JIRA
(v7.6.3#76005)