Cache namespace-filtered policy enforcers to fix CPU hotspot#2480
Merged
thjaeckle merged 2 commits intoJul 3, 2026
Merged
Conversation
PolicyEnforcer.forNamespace(ns) rebuilt the entire TreeBasedPolicyEnforcer on every enforced signal when a policy had namespace-scoped entries (introduced with eclipse-ditto#2325 in 3.9.0). A prod JFR profile of ditto-things showed this path (ThingEnforcerActor -> forNamespace -> defaultEvaluator -> createInstance) accounting for ~18% of JVM user CPU. The base PolicyEnforcer is cached per policy and replaced wholesale on every policy update, so forNamespace(ns) is a pure function of the namespace for a given instance. Memoize its result in a per-instance Caffeine cache so the enforcer tree is built at most once per distinct namespace instead of per signal. The memo is invalidated naturally when the instance is replaced. The "return this" fast-path (no entries filtered) is preserved. forNamespace is only ever called by the things-service enforcer on the long-lived, provider-cached instances (from PolicyEnforcerCacheLoader), so only those get a bounded cache whose size is operator-configurable via ditto.policies-enforcer-cache.namespace-filtered-enforcer-max-size (default 100, env DITTO_POLICIES_ENFORCER_NAMESPACE_FILTERED_MAX_SIZE). All other construction paths (of/embed/withResolvedImports, filtered children, and the policies-service enforcers) never accumulate in the cache and use an unbounded (always-empty) one, so no hard-coded default size is needed. Helm values and the policies/things/connectivity deployment templates expose the new setting. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bbf9050 to
5141d85
Compare
Member
Author
|
System tests passed: https://github.com/eclipse-ditto/ditto/actions/runs/28599981076 |
hu-ahmed
reviewed
Jul 3, 2026
hu-ahmed
left a comment
Contributor
There was a problem hiding this comment.
LGTM!
just small minor stuff
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PolicyEnforcer.forNamespace(ns) rebuilt the entire TreeBasedPolicyEnforcer on every enforced signal when a policy had namespace-scoped entries (introduced with #2325 in 3.9.0). A prod JFR profile of ditto-things showed this path (ThingEnforcerActor -> forNamespace -> defaultEvaluator -> createInstance) accounting for ~18% of JVM user CPU.
The base PolicyEnforcer is cached per policy and replaced wholesale on every policy update, so forNamespace(ns) is a pure function of the namespace for a given instance. Memoize its result in a per-instance Caffeine cache so the enforcer tree is built at most once per distinct namespace instead of per signal. The memo is invalidated naturally when the instance is replaced. The "return this" fast-path (no entries filtered) is preserved.
forNamespace is only ever called by the things-service enforcer on the long-lived, provider-cached instances (from PolicyEnforcerCacheLoader), so only those get a bounded cache whose size is operator-configurable via ditto.policies-enforcer-cache.namespace-filtered-enforcer-max-size (default 100, env DITTO_POLICIES_ENFORCER_NAMESPACE_FILTERED_MAX_SIZE). All other construction paths (of/embed/withResolvedImports, filtered children, and the policies-service enforcers) never accumulate in the cache and use an unbounded (always-empty) one, so no hard-coded default size is needed.
Helm values and the policies/things/connectivity deployment templates expose the new setting.