0

How to estimate size for Apache Shiro permissions cache?

For example, permissions strings are implemented in format:

<domain>:<resource_group>:<resource_name>:<permission>

for example

my-domain:resource-group-0001:resource-0001:permission-001

Would Shiro store all those strings as plain text? In our case, we have 10,000+ users, 10,000+ resources and up 100 possible permissions. Of course only a fraction of all permutations would be present, but even then we are looking at 200M+ entries with potentially 10+ GB of data, which would be taxing for an in-memory cache.

The data would not be coming from a database in plain form, so no ehcache here. However, we do have to make this cache distributed, so current (smaller scale) implementation uses Redis.

Improve this question

1 Answer 1

Reset to default
0

Estimating sizes really difficult. We (the SHIRO Team) haven't done it. You might be better of with a cache that will "forget" old entries.

Shiro will store more than just the permission String. You can see it here (1.9.x branch): AuthorizingRealm.java:317-337 The method will retrieve (and store) an AuthorizationInfo object. That means, it will serialize this object containing:

Collection<String> getRoles();

Collection<String> getStringPermissions();

Collection<Permission> getObjectPermissions();

Now, it is different per user how many Roles and String- or ObjectPermissions they have. It may vary greatly, even within the same application.

The Permission is yet another nested structure. The default implementation, WildcardPermission, will internally it tear the String apart into multiple Collections:

private List<Set<String>> parts;

Then, the last thing to store is the cache Key, which is a PrincipalCollection. However, it is usually just a single Principal for most applications (ie a collection of size one).

If you need an estimate, you could extend the Realm you are using and override the method protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals); to print the serialized size. However, this should only be done in a test environment.

I hope you now have an overview of what is being saved (and serialized). Let us know whether this helps to do the numbers!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Not very encouraging, but thank you very much!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.