Merge pull request #12114 from StephanDollberg/acl-alloc-22-3

acl: Avoid allocations when checking implied ops
redpanda-data · Jul 17, 2023 · 4bb8ca3 · 4bb8ca3
2 parents c3cfa1e + 3a7c228
commit 4bb8ca3
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 31 deletions.
diff --git a/src/v/security/acl.h b/src/v/security/acl.h
@@ -97,29 +97,6 @@ enum class acl_operation : int8_t {
     idempotent_write = 10,
 };
 
-/*
- * Compute the implied operations based on the specified operation.
- */
-inline std::vector<acl_operation> acl_implied_ops(acl_operation operation) {
-    switch (operation) {
-    case acl_operation::describe:
-        return {
-          acl_operation::describe,
-          acl_operation::read,
-          acl_operation::write,
-          acl_operation::remove,
-          acl_operation::alter,
-        };
-    case acl_operation::describe_configs:
-        return {
-          acl_operation::describe_configs,
-          acl_operation::alter_configs,
-        };
-    default:
-        return {operation};
-    }
-}
-
 inline std::ostream& operator<<(std::ostream& os, acl_operation op) {
     switch (op) {
     case acl_operation::all:

diff --git a/src/v/security/authorizer.h b/src/v/security/authorizer.h
@@ -111,17 +111,46 @@ class authorizer final {
         }
 
         // check for allow
-        auto ops = acl_implied_ops(operation);
-        return std::any_of(
-          ops.cbegin(),
-          ops.cend(),
-          [&acls, &principal, &host](acl_operation operation) {
-              return acls.contains(
-                operation, principal, host, acl_permission::allow);
-          });
+        return acl_any_implied_ops_allowed(acls, principal, host, operation);
     }
 
 private:
+    /*
+     * Compute whether the specified operation is allowed based on the implied
+     * operations.
+     */
+    bool acl_any_implied_ops_allowed(
+      const acl_matches& acls,
+      const acl_principal& principal,
+      const acl_host& host,
+      const acl_operation operation) const {
+        auto check_op = [&acls, &principal, &host](acl_operation operation) {
+            return acls.contains(
+              operation, principal, host, acl_permission::allow);
+        };
+
+        switch (operation) {
+        case acl_operation::describe: {
+            static constexpr std::array ops = {
+              acl_operation::describe,
+              acl_operation::read,
+              acl_operation::write,
+              acl_operation::remove,
+              acl_operation::alter,
+            };
+            return std::any_of(ops.begin(), ops.end(), check_op);
+        }
+        case acl_operation::describe_configs: {
+            static constexpr std::array ops = {
+              acl_operation::describe_configs,
+              acl_operation::alter_configs,
+            };
+            return std::any_of(ops.begin(), ops.end(), check_op);
+        }
+        default:
+            return check_op(operation);
+        }
+    }
     acl_store _store;
 
     // The list of superusers is stored twice: once as a vector in the