You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/02/25 22:13:00 UTC

[jira] [Commented] (KAFKA-6591) Move check for super user in SimpleAclProvider before ACL evaluation

    [ https://issues.apache.org/jira/browse/KAFKA-6591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376272#comment-16376272 ] 

ASF GitHub Bot commented on KAFKA-6591:
---------------------------------------

soenkeliebau opened a new pull request #4618: KAFKA-6591: Move super user check before ACL matching 
URL: https://github.com/apache/kafka/pull/4618
 
 
   Currently the check whether a user as a super user in SimpleAclAuthorizer is performed only after all other ACLs have been evaluated. Since all requests from a super user are granted we don't really need to apply the ACLs.
   
   This commit returns true if the user is a super user before checking ACLs, thus bypassing the needless evaluation effort.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Move check for super user in SimpleAclProvider before ACL evaluation
> --------------------------------------------------------------------
>
>                 Key: KAFKA-6591
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6591
>             Project: Kafka
>          Issue Type: Improvement
>          Components: core, security
>    Affects Versions: 1.0.0
>            Reporter: Sönke Liebau
>            Assignee: Sönke Liebau
>            Priority: Minor
>
> Currently the check whether a user as a super user in SimpleAclAuthorizer is [performed only after all other ACLs have been evaluated|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala#L124]. Since all requests from a super user are granted we don't really need to apply the ACLs.
> I believe this is unnecessary effort that could easily be avoided. I've rigged a small test that created 1000 ACLs for a topic and performed a million authorize calls with a principal that was a super user but didn't match any ACLs.
> The implementation from trunk took 43 seconds, whereas a version with the super user check moved up only took half a second. Granted, this is a constructed case, but the effects will be the same, if less pronounced for setups with fewer rules.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)