[
https://issues.apache.org/jira/browse/CASSANDRA-20293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924136#comment-17924136
]
Sam Tunnicliffe commented on CASSANDRA-20293:
---------------------------------------------
The patch for CASSANDRA-20090 was originally developed for 4.0.x and validation
of its performance tested on clusters running 4.0 and above. When the decision
was made to backport to 3.0 & 3.11, we overlooked the fact that the
improvements to caching of role metadata introduced by CASSANDRA-14497 were not
present in the older branches.
When using {{CassadraAuthorizer}} the additional check for superuser privileges
added in CASSANDRA-20090 equates to a read directly from the
{{system_auth.roles}} table, which is now happening on every read and write.
Rather than backport CASSANDRA-14497 (which is a fairly large patch) we can
modify the CASSANDRA-20090 fix to only perform the superuser check for system
tables.
Running a simple stress workload on patched & unpatched 3.0.31 shows the
difference:
{code:java|title=unpatched 3.0.31|borderStyle=solid}
❯ bin/cqlsh -u cassandra -p cassandra -e "CREATE KEYSPACE keyspace1 WITH
REPLICATION = {'class':'SimpleStrategy','replication_factor':1};"
❯ bin/cqlsh -u cassandra -p cassandra -e "CREATE ROLE alice WITH PASSWORD =
'password_a' AND LOGIN = true;"
❯ bin/cqlsh -u cassandra -p cassandra -e "GRANT ALL PERMISSIONS ON ALL
KEYSPACES TO alice";
❯ tools/bin/cassandra-stress write n=1M no-warmup -rate threads=100 -mode
native cql3 user=alice password="password_a" -schema keyspace="keyspace1"
Results:
op rate : 28515 [WRITE:28515]
partition rate : 28515 [WRITE:28515]
row rate : 28515 [WRITE:28515]
latency mean : 3.4 [WRITE:3.4]
latency median : 1.0 [WRITE:1.0]
latency 95th percentile : 7.6 [WRITE:7.6]
latency 99th percentile : 51.7 [WRITE:51.7]
latency 99.9th percentile : 195.5 [WRITE:195.5]
latency max : 951.1 [WRITE:951.1]
Total partitions : 1000000 [WRITE:1000000]
Total errors : 0 [WRITE:0]
total gc count : 22
total gc mb : 20230
total gc time (s) : 1
avg gc time(ms) : 31
stdev gc time(ms) : 12
Total operation time : 00:00:35
END
❯ bin/nodetool tablestats system_auth.roles
Keyspace: system_auth
Read Count: 1000090
Read Latency: 0.09701519063284304 ms.
Write Count: 2
Write Latency: 0.921 ms.
{code}
{code:java|title=patched 3.0.31|borderStyle=solid}
❯ bin/cqlsh -u cassandra -p cassandra -e "CREATE KEYSPACE keyspace1 WITH
REPLICATION = {'class':'SimpleStrategy','replication_factor':1};"
❯ bin/cqlsh -u cassandra -p cassandra -e "CREATE ROLE alice WITH PASSWORD =
'password_a' AND LOGIN = true;"
❯ bin/cqlsh -u cassandra -p cassandra -e "GRANT ALL PERMISSIONS ON ALL
KEYSPACES TO alice";
❯ tools/bin/cassandra-stress write n=1M no-warmup -rate threads=100 -mode
native cql3 user=alice password="password_a" -schema keyspace="keyspace1"
Results:
op rate : 37875 [WRITE:37875]
partition rate : 37875 [WRITE:37875]
row rate : 37875 [WRITE:37875]
latency mean : 2.5 [WRITE:2.5]
latency median : 0.8 [WRITE:0.8]
latency 95th percentile : 5.0 [WRITE:5.0]
latency 99th percentile : 33.6 [WRITE:33.6]
latency 99.9th percentile : 163.4 [WRITE:163.4]
latency max : 749.9 [WRITE:749.9]
Total partitions : 1000000 [WRITE:1000000]
Total errors : 0 [WRITE:0]
total gc count : 12
total gc mb : 10677
total gc time (s) : 1
avg gc time(ms) : 46
stdev gc time(ms) : 15
Total operation time : 00:00:26
END
❯ bin/nodetool tablestats system_auth.roles
Keyspace: system_auth
Read Count: 69
Read Latency: 2.566608695652174 ms.
Write Count: 2
Write Latency: 0.861 ms.
{code}
> Minimise expensive reads during authz flow in 3.0 & 3.11
> ---------------------------------------------------------
>
> Key: CASSANDRA-20293
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20293
> Project: Apache Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Michael Semb Wever
> Assignee: Sam Tunnicliffe
> Priority: Urgent
> Fix For: 3.0.x, 3.11.x
>
>
> -CASSANDRA-20090- regressed authorisation performance in 3.0.31 and 3.11.18
> releases.
> Every call to auth is (via the isSuper call) going to disk.
> This is not an issue for 4.0 and newer due to improvements to the caching of
> role metadata in CASSANDRA-14497
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
