OPA cache settings

[jesussancheztellomm]

Hi,
Could you please provide some info about how OPA cache works?

Specifically i want to know how the initialCacheCapacity and maximumCacheSize affects the performance since i have been playing with the values and in some cases i got Java heap out of memory when the brokers starts.

In our main cluster, most of our consumers are subscribed to a topic pattern and with that scenario the consumers are requesting DESCRIBE operations for all the topics (> 2k topics) so we want to avoid OPA requests as much as possible.

Thanks in advance for your support.

[scholzj]

The OPA Authorizer plugin uses Guava to provide the caching. So these parameters are IIRC pretty muhc just passed to that. So the Guava docs might give you the details. But if I should explain it:

• For every action you take, Kafka will call the authorizer with some authorization request
• The OPA Authorizer would take this request and
  • Check whether the decision for this request is in the cache
  • If it is in the cache, it will use this decision and return it to main Kafka code
  • If it is not in the cache, it will call OPA with the authorization request to get the decision
  • The result is stored in the cache and returned to main Kafka code

The cache has expiration ... so every result stays there for a limited time and then a new OPA call is.

Basically, the cache will have a record for every operation your clients do. So for example:

• User X fetching from topic A is one record
• User X fetching from topic B is another record
• User Y fetching from topic C is another record
• User Y producing to topic C is another record
• User Y describing topic C is another record
• etc.

So how many records would be in your cache depends on the number of clients and what they do etc.

The initial cache capacity should say how big the initial cache size should be. I do not know the Guava implementation details. But I would assume that it preallocates the memory. The maximum size should limit the size from he top. I don't think I ever reached it, but I guess it would drop the oldest record in favor of the new record when reached or something like that.

In general, the bigger the cache, the more memory it consumes, but you have also less calls directly to OPA which would be a lot slower compared to the cache.

[jesussancheztellomm]

Thanks a lot for the details. I will take a look to it!

[jesussancheztellomm]

Last question, so if i understood well, the value maximumCacheSize defines the max number of records that will keep the cache, right?

[scholzj]

Yes, that is correct.

[jesussancheztellomm]

Great, thank you.