KIP-564 — Add new cached authorizer:change the dim of cache
Accepted Security
Introduces a result-level authorization cache in the broker's ACL authorizer, keyed on `(principal, operation, resource)` tuples, so repeated authorization checks for the same subject skip ACL list traversal and return a cached decision. Without caching, each request triggers a full ACL scan over all entries which becomes a CPU bottleneck on clusters with tens of thousands of ACLs.
Details
| Author | StevenLuMT |
| Status | Accepted |
| JIRA | KAFKA-9452 |
| Wiki | View on Apache Wiki |
| Created | 2019-12-07 |
| Last Modified | 2020-01-21 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.