Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-28867

Poor performance in service/rest/v1/search API for large repo caused by ContentAuthPluginScript

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.32.0
    • Fix Version/s: None
    • Component/s: REST, Search
    • Labels:

      Description

      Hi,
      we noticed that service/rest/v1/search API is performing poorly for hosted docker repo with large (332123) number of components. We did some profiling, and it looks like most of the CPU time is taken up by ContentAuthPluginScript, You can see that in the attached FlameGraph.
      After enabling TRACE logging on org.sonatype.nexus.security.SecurityHelper, I can see that for one search request (service/rest/v1/search?format=docker&repository=my-repo), permissions are checked 332173 times, although only 50 results are returned by API.

      grep "org.sonatype.nexus.security.SecurityHelper - Checking if subject 'anonymous' has ANY of these permissions: \[nexus:repository-view:docker:my-repo:browse\]" nexus.log | wc -l
      332173

      I think it is a performance bug, search doesn't scale well with number of components in a repo. Could it be possible to limit the number of permission checks performed or cache the result of a permission check for given repo?

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            piotr.filip@comarch.com Piotr Filip
            Last Updated By:
            Piotr Filip Piotr Filip
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title