Skip to content

Slow simple search across multiple indices with x-pack-security enabled #52673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lekrus opened this issue Feb 22, 2020 · 5 comments
Closed

Slow simple search across multiple indices with x-pack-security enabled #52673

lekrus opened this issue Feb 22, 2020 · 5 comments
Labels
:Security/Security Security issues without another label Team:Security Meta label for security team

Comments

@lekrus
Copy link

lekrus commented Feb 22, 2020

Elasticsearch version (bin/elasticsearch --version):
7.5.2, 7.6.0

Plugins installed:
[x-pack-security]

JVM version (java -version):
JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/13.0.2/13.0.2+8

OS version (uname -a if on a Unix-like system):
Windows 10, Windows Server 2016

Description of the problem including expected versus actual behavior:
Very big overhead when running multi-indices searches when x-pack-security is enabled.

Steps to reproduce:
On a test cluster we have 197 indices (total size of all docs is around 100MB in all indices).
When we run a simple match_all query for all those indices without x-pack-security enabled, we receive response within 5-6ms.

{
  "size": 0,
  "query": {
    "constant_score": {
      "filter": {
        "match_all": {}
      }
    }
  }
}

After enabling x-pack-security and authenticating under a user with a simplest role:

sample_user_role:
  cluster: ["monitor","manage_ingest_pipelines"]
  indices:
    - names : ["*"]
      privileges : ['all']

the same query runs 300-330ms.
For a cluster with 1500 indices, the query without x-pack runs 100ms, with x-pack - 4500-5000ms.

We tried both file and native realms, both result in the same numbers.
The issue is similar to #42164, but we are getting bad performance even on reasonable number of indices.
@jasontedor
Copy link
Member

For the cluster with 1500 indices, the query runs long enough that you should be able to capture hot threads output a few times while the query is executing. Can you do that, execute the query, grab the hot threads output, and share it with us?

@jasontedor jasontedor added the :Security/Security Security issues without another label label Feb 22, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Security)

@jasontedor
Copy link
Member

Also pinging @elastic/es-perf for awareness.

@lekrus
Copy link
Author

lekrus commented Feb 24, 2020

I've attached the output, if any params should be adjusted when running that endpoint, please let me know, thank you!
hot_threads.txt

@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
@albertzaharovits
Copy link
Contributor

Thanks for the report @lekrus !

I think this is a real performance problem for Security authorization with 1000s of indices/aliases. This is something we were vaguely aware of, but it never quite made the cut priority-wise.

Quite simply the authorization logic is complex for reasons of document and field level security (it uses a lot of maps and sets), there's no cache to it, and it's linearly worse with the number of indices queried.

I'm going to close this as duplicate of #67987 , but this is something we're currently looking into.

Thank you for raising it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Security/Security Security issues without another label Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rjernst @danielmitterdorfer @albertzaharovits @jasontedor @lekrus @elasticmachine