KAFKA-14214: Introduce read-write lock to StandardAuthorizer for consistent ACL reads.

[akhileshchg]

KAFKA-14214: Introduce read-write lock to StandardAuthorizer for consistent ACL reads.

The issue with StandardAuthorizer#authorize is, that it looks up
aclsByResources (which is of type ConcurrentSkipListMap)twice for every
authorize call and uses Iterator with weak consistency guarantees on top of
aclsByResources. This can cause the authorize function call to process the
concurrent writes out of order.

Implemented ReadWrite lock at StandardAuthorizer level to make sure the reads
are strongly consistent with write order.

[mumrah]

Thanks for the patch @akhileshchg! Left a question inline.

As mentioned offline, it would be good to see the performance difference between the concurrent data structures and this PR. I expect this change will be slower in the case where we take a copy of the bindings in the iterator.

[mumrah]

Just to clarify my understanding.

Previously, we were wrapping the aclsByResource iterator. This was intended to be thread-safe, but as you mentioned offline, there was no guard against the underlying map getting modified during iteration (since the ConcurrentSkipListMap might show updated elements to the iterator).

Instead, we are now making a copy of the matching AclBinding and returning that's lists iterator the caller. So, basically trading off memory for consistency.

[akhileshchg]

Yes, you're right. I think there is no other way we can guarantee the consistency here other than giving an Iterable that stays constant to the client accessing Authorizer#acls.

[akhileshchg]

AclAuthorizerBenchmark.testAclsIterator                     50               ACL                20           200000  avgt        730.070          ms/op
AclAuthorizerBenchmark.testAuthorizeByResourceType          50               ACL                20           200000  avgt          0.010          ms/op
AclAuthorizerBenchmark.testAuthorizer                       50               ACL                20           200000  avgt          4.505          ms/op
AclAuthorizerBenchmark.testUpdateCache                      50               ACL                20           200000  avgt       1936.356          ms/op

Benchmark                                           (aclCount)  (authorizerType)  (denyPercentage)  (resourceCount)  Mode  Cnt     Score   Error  Units
AclAuthorizerBenchmark.testAclsIterator                     50             KRAFT                20           200000  avgt       2084.634          ms/op
AclAuthorizerBenchmark.testAuthorizeByResourceType          50             KRAFT                20           200000  avgt       6180.318          ms/op
AclAuthorizerBenchmark.testAuthorizer                       50             KRAFT                20           200000  avgt          2.768          ms/op
AclAuthorizerBenchmark.testUpdateCache                      50             KRAFT                20           200000  avgt         ≈ 10⁻⁶          ms/op

NOTE: authorizeByResourceType is not implemented in StandardAuthorizer, so it uses the default implementation in Authorizer, hence it is not in the same ballpark as AclAuthorizer. Similarly updateCache is not implemented for StandardAuthorizer (we use AclMutator, so we cannot compare the numbers).

With the new implementation, StandardAuthorizer seems to be doing worse on the AclsIterator benchmark than AclAuthorizer and doing better in testAuthorizer which calls Authorizer#authorize.

I updated the iterator method to only loop once through acls and the performance is in the same ballpark as AclAuthorizer.

Benchmark                                           (aclCount)  (authorizerType)  (denyPercentage)  (resourceCount)  Mode  Cnt     Score   Error  Units
AclAuthorizerBenchmark.testAclsIterator          50             KRAFT                20           200000  avgt       833.482          ms/op

[hachikuji]

I posted some comments on the old PR: #12627 (review). Could you take a look since it looks like they are still relevant. Also, I think we should come to some agreement regarding this comment:

I do wonder about the tradeoffs between the approach used here and what we do in AclAuthorizer. The advantage of the latter approach is that reads are never blocked. Since the authorizer needs to be accessed on every request, that is a tough advantage to overlook. On the other hand, to make it work, it looks like we would need to add batching methods for adding new ACLs since doing a copy for every ACL is probably a non-starter.

[akhileshchg]

Reopened the PR. Moved the ReadWrite lock from StandardAuthorizerData scope to StandardAuthorizer. I'm okay with most methods after moving the lock, but loadSnapshot can be pretty heavy with this implementation. Let me know your thoughts @mumrah @cmccabe @hachikuji

[cmccabe]

Thanks, @akhileshchg . Can you remove the AclAuthorizerBenchmark change from here? I can post a separate PR for this (which we don't need in 3.3...)

[akhileshchg]

I reverted the benchmark changes.

[showuon]

Reopened the PR. Moved the ReadWrite lock from StandardAuthorizerData scope to StandardAuthorizer. I'm okay with most methods after moving the lock, but loadSnapshot can be pretty heavy with this implementation. Let me know your thoughts @mumrah @cmccabe @hachikuji

The loadSnapshot is indeed a concern. I'm wondering if we can remove lock for loadSnapshot method? After all, the authorizer won't be up and ready to use before loadSnapshot completed, right? Or maybe in that case, we don't even worry about adding/removing the lock in loadSnapshot since there won't be other threads waiting for the lock

[akhileshchg]

Reopened the PR. Moved the ReadWrite lock from StandardAuthorizerData scope to StandardAuthorizer. I'm okay with most methods after moving the lock, but loadSnapshot can be pretty heavy with this implementation. Let me know your thoughts @mumrah @cmccabe @hachikuji

Reduced the critical section for loadSnapshot. The change is ready for review. @mumrah @cmccabe @hachikuji

[mumrah]

@showuon I think we need the lock in loadSnapshot since it will get called any time the broker/controller makes a snapshot. With @akhileshchg latest changes, there should be a lot less contention in this method (basically just when the new StandardAuthorizerData is create and the volatile is written).

@akhileshchg thanks for picking this back up :) I left a few minor comments inline

[mumrah]

Thanks for the updates, LGTM!