chore: remove locks from acl validation in the hot path

src/server/acl/acl_family.cc

@@ -3,6 +3,8 @@
 
 #include "server/acl/acl_family.h"
 
+#include <glog/logging.h>
+
 #include <cctype>
 #include <optional>
 #include <variant>
@@ -12,6 +14,7 @@
 #include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
 #include "core/overloaded.h"
+#include "facade/dragonfly_connection.h"
 #include "facade/facade_types.h"
 #include "server/acl/acl_commands_def.h"
 #include "server/command_registry.h"
@@ -46,6 +49,9 @@ static std::string AclToString(uint32_t acl_category) {
   return tmp;
 }
 
+AclFamily::AclFamily(util::ProactorPool& pp) : pp_(pp) {
+}
+
 void AclFamily::Acl(CmdArgList args, ConnectionContext* cntx) {
   (*cntx)->SendError("Wrong number of arguments for acl command");
 }
@@ -157,12 +163,31 @@ std::variant<User::UpdateRequest, ErrorReply> ParseAclSetUser(CmdArgList args) {
 
 }  // namespace
 
+void AclFamily::StreamUpdatesToAllProactorConnections(std::string_view user, uint32_t update_cat) {
+  auto update_cb = [user, update_cat]([[maybe_unused]] size_t id, util::Connection* conn) {
+    DCHECK(conn);
+    auto connection = static_cast<facade::Connection*>(conn);
+    auto ctx = static_cast<ConnectionContext*>(connection->cntx());
+    if (ctx && user == ctx->authed_username) {
+      ctx->acl_categories = update_cat;
+    }
+  };
+
+  pp_.AwaitFiberOnAll([this, update_cb](util::ProactorBase* pb) {
+    for (auto& listener : listeners_) {
+      listener->TraverseConnections(update_cb);
+    }
+  });
+}
+
 void AclFamily::SetUser(CmdArgList args, ConnectionContext* cntx) {
   std::string_view username = facade::ToSV(args[0]);
   auto req = ParseAclSetUser(args.subspan(1));
   auto error_case = [cntx](ErrorReply&& error) { (*cntx)->SendError(error); };
-  auto update_case = [username, cntx](User::UpdateRequest&& req) {
+  auto update_case = [username, cntx, this](User::UpdateRequest&& req) {
     ServerState::tlocal()->user_registry->MaybeAddAndUpdate(username, std::move(req));
+    auto cred = ServerState::tlocal()->user_registry->GetCredentials(username);
+    StreamUpdatesToAllProactorConnections(username, cred.acl_categories);
     (*cntx)->SendOk();
   };
 
@@ -171,8 +196,15 @@ void AclFamily::SetUser(CmdArgList args, ConnectionContext* cntx) {
 
 using CI = dfly::CommandId;
 
-#define HFUNC(x) SetHandler(&AclFamily::x)
+using MemberFunc = void (AclFamily::*)(CmdArgList args, ConnectionContext* cntx);
+
+inline CommandId::Handler HandlerFunc(AclFamily* acl, MemberFunc f) {
+  return [=](CmdArgList args, ConnectionContext* cntx) { return (acl->*f)(args, cntx); };
+}
 
+#define HFUNC(x) SetHandler(HandlerFunc(this, &AclFamily::x))
+
+constexpr uint32_t kAcl = acl::CONNECTION;
 constexpr uint32_t kList = acl::ADMIN | acl::SLOW | acl::DANGEROUS;
 constexpr uint32_t kSetUser = acl::ADMIN | acl::SLOW | acl::DANGEROUS;
 
@@ -184,7 +216,7 @@ constexpr uint32_t kSetUser = acl::ADMIN | acl::SLOW | acl::DANGEROUS;
 // easy to handle that case explicitly in `DispatchCommand`.
 
 void AclFamily::Register(dfly::CommandRegistry* registry) {
-  *registry << CI{"ACL", CO::NOSCRIPT | CO::LOADING, 0, 0, 0, 0, acl::kList}.HFUNC(Acl);
+  *registry << CI{"ACL", CO::NOSCRIPT | CO::LOADING, 0, 0, 0, 0, acl::kAcl}.HFUNC(Acl);
   *registry << CI{"ACL LIST", CO::ADMIN | CO::NOSCRIPT | CO::LOADING, 1, 0, 0, 0, acl::kList}.HFUNC(
       List);
   *registry << CI{"ACL SETUSER", CO::ADMIN | CO::NOSCRIPT | CO::LOADING, -2, 0, 0, 0, acl::kSetUser}
@@ -193,4 +225,8 @@ void AclFamily::Register(dfly::CommandRegistry* registry) {
 
 #undef HFUNC
 
+void AclFamily::Init(std::vector<facade::Listener*> listeners) {
+  listeners_ = std::move(listeners);
+}
+
 }  // namespace dfly::acl

src/server/acl/acl_family.h

@@ -4,22 +4,39 @@
 
 #pragma once
 
+#include <cstdint>
+#include <string_view>
+#include <vector>
+
+#include "facade/dragonfly_listener.h"
+#include "helio/util/proactor_pool.h"
 #include "server/common.h"
 
 namespace dfly {
+
 class ConnectionContext;
 class CommandRegistry;
 
 namespace acl {
 
-class AclFamily {
+class AclFamily final {
  public:
-  static void Register(CommandRegistry* registry);
+  explicit AclFamily(util::ProactorPool& pp);
+
+  void Register(CommandRegistry* registry);
+  void Init(std::vector<facade::Listener*> listeners);
 
  private:
-  static void Acl(CmdArgList args, ConnectionContext* cntx);
-  static void List(CmdArgList args, ConnectionContext* cntx);
-  static void SetUser(CmdArgList args, ConnectionContext* cntx);
+  void Acl(CmdArgList args, ConnectionContext* cntx);
+  void List(CmdArgList args, ConnectionContext* cntx);
+  void SetUser(CmdArgList args, ConnectionContext* cntx);
+
+  // Helper function that updates all open connections and their
+  // respective ACL fields on all the available proactor threads
+  void StreamUpdatesToAllProactorConnections(std::string_view user, uint32_t update_cat);
+
+  std::vector<facade::Listener*> listeners_;
+  util::ProactorPool& pp_;
 };
 
 }  // namespace acl

src/server/acl/validator.cc

@@ -4,16 +4,12 @@
 
 #include "server/acl/validator.h"
 
-#include "server/server_state.h"
-
 namespace dfly::acl {
 
 [[nodiscard]] bool IsUserAllowedToInvokeCommand(const ConnectionContext& cntx,
                                                 const facade::CommandId& id) {
-  auto& registry = *ServerState::tlocal()->user_registry;
-  auto credentials = registry.GetCredentials(cntx.authed_username);
   auto command_credentials = id.acl_categories();
-  return (credentials.acl_categories & command_credentials) != 0;
+  return (cntx.acl_categories & command_credentials) != 0;
 }
 
 }  // namespace dfly::acl

src/server/acl/validator.h

@@ -4,8 +4,6 @@
 
 #pragma once
 
-#include <string_view>
-
 #include "facade/command_id.h"
 #include "server/conn_context.h"
 

src/server/conn_context.h

@@ -7,6 +7,7 @@
 #include <absl/container/fixed_array.h>
 #include <absl/container/flat_hash_set.h>
 
+#include "acl/acl_commands_def.h"
 #include "core/fibers.h"
 #include "facade/conn_context.h"
 #include "facade/reply_capture.h"
@@ -197,6 +198,7 @@ class ConnectionContext : public facade::ConnectionContext {
   FlowInfo* replication_flow;
 
   std::string authed_username{"default"};
+  uint32_t acl_categories{acl::ALL};
 
  private:
   void EnableMonitoring(bool enable) {

src/server/main_service.cc

@@ -608,7 +608,7 @@ optional<ShardId> GetRemoteShardToRunAt(const Transaction& tx) {
 }  // namespace
 
 Service::Service(ProactorPool* pp)
-    : pp_(*pp), server_family_(this), cluster_family_(&server_family_) {
+    : pp_(*pp), acl_family_(*pp), server_family_(this), cluster_family_(&server_family_) {
   CHECK(pp);
   CHECK(shard_set == NULL);
 
@@ -665,6 +665,7 @@ void Service::Init(util::AcceptServer* acceptor, std::vector<facade::Listener*>
 
   shard_set->Init(shard_num, !opts.disable_time_update);
 
+  acl_family_.Init(listeners);
   request_latency_usec.Init(&pp_);
   StringFamily::Init(&pp_);
   GenericFamily::Init(&pp_);
@@ -2127,7 +2128,7 @@ void Service::RegisterCommands() {
   BitOpsFamily::Register(&registry_);
   HllFamily::Register(&registry_);
   SearchFamily::Register(&registry_);
-  acl::AclFamily::Register(&registry_);
+  acl_family_.Register(&registry_);
 
   server_family_.Register(&registry_);
   cluster_family_.Register(&registry_);

src/server/main_service.h

@@ -9,6 +9,7 @@
 #include "base/varz_value.h"
 #include "core/interpreter.h"
 #include "facade/service_interface.h"
+#include "server/acl/acl_family.h"
 #include "server/acl/user_registry.h"
 #include "server/cluster/cluster_family.h"
 #include "server/command_registry.h"
@@ -165,6 +166,7 @@ class Service : public facade::ServiceInterface {
   util::ProactorPool& pp_;
 
   acl::UserRegistry user_registry_;
+  acl::AclFamily acl_family_;
   ServerFamily server_family_;
   ClusterFamily cluster_family_;
   CommandRegistry registry_;

src/server/server_family.cc

@@ -1554,6 +1554,8 @@ void ServerFamily::Auth(CmdArgList args, ConnectionContext* cntx) {
     auto is_authorized = registry->AuthUser(username, password);
     if (is_authorized) {
       cntx->authed_username = username;
+      auto cred = registry->GetCredentials(username);
+      cntx->acl_categories = cred.acl_categories;
       return (*cntx)->SendOk();
     }
     return (*cntx)->SendError(absl::StrCat("Could not authorize user: ", username));