[BUG/performance] Serialization/Deserialization check for safe classes adds performance overhead

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields

https://opensearch.org/docs/latest/security-plugin/index/

Apache License 2.0

193 stars 275 forks source link

[BUG/performance] Serialization/Deserialization check for safe classes adds performance overhead #4760

Open krishna-ggk opened 1 month ago

krishna-ggk commented 1 month ago

What is the bug? While debugging latency contributors in an OpenSearch 2.13 cluster using JDK serialization, we noticed SafeSerializationUtils.isSafeClass adds ~20% overhead to latency although it isn't as visible in flamegraphs (0.02%) (This was validated by short circuiting isSafeClass to return).

What is the expected behavior? It seems like a very low hanging fruit to gain significant performance benefit.

cwperks commented 1 month ago

[Triage] Thanks for the issue @krishna-ggk and associated flame graph. 20% overhead sounds quite high for a method that is just to lookup a classname in a list of allowed class names. This sounds like it would be a good performance benefit if it can be optimized securely. Marking this issue as triaged.