Sönke Liebau created KAFKA-6591:
-----------------------------------
Summary: Move check for super user in SimpleAclProvider before ACL
evaluation
Key: KAFKA-6591
URL: https://issues.apache.org/jira/browse/KAFKA-6591
Project: Kafka
Issue Type: Improvement
Components: core, security
Affects Versions: 1.0.0
Reporter: Sönke Liebau
Assignee: Sönke Liebau
Currently the check whether a user as a super user in SimpleAclAuthorizer is
[performed only after all other ACLs have been
evaluated|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala#L124].
Since all requests from a super user are granted we don't really need to apply
the ACLs.
I believe this is unnecessary effort that could easily be avoided. I've rigged
a small test that created 1000 ACLs for a topic and performed a million
authorize calls with a principal that was a super user but didn't match any
ACLs.
The implementation from trunk took 43 seconds, whereas a version with the super
user check moved up only took half a second. Granted, this is a constructed
case, but the effects will be the same, if less pronounced for setups with
fewer rules.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
