Thread
Commits
-
Optimize roles_is_member_of() with a Bloom filter.
- d365ae705409 17.0 landed
-
Use a hash table for catcache.c's CatCList objects.
- 473182c9523a 17.0 landed
- 14e991db89b1 16.3 landed
-
Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
alex work <alexwork033@gmail.com> — 2024-03-21T07:10:06Z
Hello, we run multiple versions of PostgreSQL instances on production. Some time ago we add new physical servers and decided to go with latest GA from pgdg APT repository, that is PostgreSQL 16. We encounter slow `GRANT ROLES` only on PostgreSQL 16 instances up to 42 seconds in production, the client process at PostgresSQL would use 100% of the CPU. Which is a surprise compared to other instances running older PostgreSQL releases. On production we have a *LOT* of ROLEs, which unfortunately a case that we did not test before switching the new servers into production mode. The Application & ROLEs ----------------------- Our application make use of ROLEs. We create group ROLEs for each tenant of our application, these ROLEs are named with `d_` and `a_` prefix. A special ROLE, called `acc`, it will be a member to each of these `d_` and `a_` ROLEs. The application have a concept of "session", which it would mantain and I think outside the scope of this e-mail. In relation to PostgreSQL, the application would create a PostgreSQL ROLE that corresponds to its own (application) session. It would name these ROLEs with `s_` prefix, which CREATEd and GRANTed its permission on every application's "session". When an application "session" started, user with `acc` ROLE would grant membersip of `d_` ROLE to `s_` ROLE (ie. GRANT ROLE `d_xxxx` TO `s_xxxx`;) To make this clear, for example, we have (say) role `d_202402` already existing and application would create a new ROLE `s_0000001` which corresponds to application's "session". Application that connects with special ROLE `acc` would GRANT ROLE `d_202402` to the ROLE `s_0000001`, like so: GRANT d_202402 TO s_0000001; In production we have up to 13 thousands of these ROLEs, each: $ sudo -u postgres psql -p 5531 psql (16.2 (Debian 16.2-1.pgdg120+2)) Type "help" for help. postgres=# select count(*) s_roles_count from pg_catalog.pg_authid where rolname like 's_%'; s_roles_count --------------- 13299 (1 row) postgres=# select count(*) a_roles_count from pg_catalog.pg_authid where rolname like 'a_%'; a_roles_count --------------- 12776 (1 row) postgres=# select count(*) d_roles_count from pg_catalog.pg_authid where rolname like 'd_%'; d_roles_count --------------- 13984 (1 row) The Setup --------- Investigating this slow `GRANT ROLE` we start a VM running Debian 11, and create a lot of roles. create special `acc` role and write to some file: $ echo -e "CREATE ROLE acc WITH LOGIN NOSUPERUSER INHERIT CREATEDB CREATEROLE NOREPLICATION;\n\n" > create_acc.sql create a lot of `a_` roles and make sure `acc` is member of each one of them: $ for idx1 in $(seq -w 1 100); do for idx2 in $(seq -w 1 12); do for idx3 in $(seq -w 1 10); do echo "CREATE ROLE a_${idx1}${idx2}${idx3} WITH NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"; echo "GRANT a_${idx1}${idx2}${idx3} TO acc WITH ADMIN OPTION;"; done; done; done > create_a.sql create a lot of `d_` roles and make sure `acc` is member of each one of them: $ for idx1 in $(seq -w 1 100); do for idx2 in $(seq -w 1 12); do for idx3 in $(seq -w 1 10); do echo "CREATE ROLE d_${idx1}${idx2}${idx3} WITH NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"; echo "GRANT d_${idx1}${idx2}${idx3} TO acc WITH ADMIN OPTION;"; done; done; done > create_d.sql create a lot of `s_` roles: $ for idx1 in $(seq -w 1 100); do for idx2 in $(seq -w 1 12); do for idx3 in $(seq -w 1 10); do echo "CREATE ROLE s_${idx1}${idx2}${idx3} WITH NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"; done; done; done > create_s.sql merge ROLE creation into one file: $ cat create_acc.sql create_a.sql create_d.sql create_s.sql > /tmp/create-roles.sql PostgreSQL 16 ------------- Install PostgreSQL 16: -- $ sudo sh -c 'echo "deb https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' $ sudo apt install gnupg2 $ wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - $ sudo apt-get update $ sudo apt-get -y install postgresql-16 postgresql-client-16 Create PostgreSQL 16 instance: -- $ sudo pg_dropcluster --stop 16 main # drop default Debian cluster $ sudo pg_createcluster 16 pg16 $ echo "local all acc trust" | sudo tee /etc/postgresql/16/pg16/pg_hba.conf $ echo "local all postgres peer" | sudo tee -a /etc/postgresql/16/pg16/pg_hba.conf $ sudo systemctl start postgresql@16-pg16.service Import lots of roles: -- $ sudo -u postgres /usr/lib/postgresql/16/bin/psql -f /tmp/create-roles.sql -p 5432 -d postgres Using ROLE `acc`, grant `d_` ROLE to a session ROLE: -- $ time sudo -u postgres /usr/lib/postgresql/16/bin/psql -U acc postgres -c 'GRANT d_0010109 TO s_0010109;' GRANT ROLE real 0m7.579s user 0m0.054s sys 0m0.020s This is the surprising behavior for PostgreSQL 16. It seems there's a new logic in PostgreSQL that checks against each role, and it took 100% of CPU. At this point we know `acc` is just another ROLE that happens to have ADMIN privilege that is a member of `d_0010109` group ROLE. But what happens when `acc` is a SUPERUSER? Alter role `acc` as SUPERUSER: -- $ sudo -u postgres /usr/lib/postgresql/16/bin/psql -c 'ALTER ROLE acc WITH SUPERUSER' ALTER ROLE This is a workaround to make GRANT ROLE bearable. Using ROLE `acc`, grant `d_` ROLE to a session ROLE, again: -- $ time sudo -u postgres /usr/lib/postgresql/16/bin/psql -U acc postgres -c 'GRANT d_0010108 TO s_0010108;' GRANT ROLE real 0m0.079s user 0m0.054s sys 0m0.019s OK this is fast. But what hapens when `acc` is back being not a SUPERUSER? Alter role `acc` to stop being SUPERUSER: -- $ sudo -u postgres psql -c 'ALTER ROLE acc WITH NOSUPERUSER' ALTER ROLE Using ROLE `acc`, grant `d_` ROLE to a session ROLE with `acc` not a SUPERUSER: -- $ time sudo -u postgres /usr/lib/postgresql/16/bin/psql -U acc postgres -c 'GRANT d_0010107 TO s_0010107;' GRANT ROLE real 0m7.741s user 0m0.055s sys 0m0.021s As expected, slow `GRANT ROLE` again. At this point, we try with PostgreSQL 15 just to make sure that this is new to PostgreSQL 16. $ sudo systemctl stop postgresql@16-pg16 PostgreSQL 15 ------------- Install PostgreSQL 15: -- $ sudo apt-get update $ sudo apt-get -y install postgresql-15 postgresql-client-15 $ sudo pg_dropcluster --stop 15 main # drop default Debian cluster $ sudo pg_createcluster 15 pg15 $ echo "local all acc trust" | sudo tee /etc/postgresql/15/pg15/pg_hba.conf $ echo "local all postgres peer" | sudo tee -a /etc/postgresql/15/pg15/pg_hba.conf $ sudo systemctl start postgresql@15-pg15.service Import lots of roles: -- $ sudo -u postgres /usr/lib/postgresql/15/bin/psql -f /tmp/create-roles.sql -p 5433 -d postgres Using ROLE `acc`, grant `d_` ROLE to a session ROLE: -- $ time sudo -u postgres /usr/lib/postgresql/15/bin/psql -U acc -p 5433 postgres -c 'GRANT d_0010109 TO s_0010109;' GRANT ROLE real 0m0.077s user 0m0.054s sys 0m0.017s Seems OK with the same amount of ROLEs. The `acc` ROLE is not a SUPERUSER here. Alter role `acc` as SUPERUSER: -- $ sudo -u postgres /usr/lib/postgresql/15/bin/psql -p 5433 -c 'ALTER ROLE acc WITH SUPERUSER' ALTER ROLE Using ROLE `acc`, grant `d_` ROLE to a session ROLE, again: -- $ time sudo -u postgres /usr/lib/postgresql/15/bin/psql -p 5433 -U acc postgres -c 'GRANT d_0010108 TO s_0010108;' GRANT ROLE real 0m0.084s user 0m0.057s sys 0m0.021s Doesn't matter, GRANT ROLE works still as fast. Alter role `acc` to stop being a SUPERUSER: -- $ sudo -u postgres /usr/lib/postgresql/15/bin/psql -p 5433 -c 'ALTER ROLE acc WITH NOSUPERUSER' ALTER ROLE Using ROLE `acc`, grant `d_` ROLE to a session ROLE with `acc` not a SUPERUSER: -- $ time sudo -u postgres /usr/lib/postgresql/15/bin/psql -p 5433 -U acc postgres -c 'GRANT d_0010107 TO s_0010107;' GRANT ROLE real 0m0.077s user 0m0.054s sys 0m0.017s Again, doesn't matter, GRANT ROLE works still as fast. Looking At The Source Code -------------------------- Looking at git diff of `REL_15_6` against `REL_16_0`, it seems the `roles_is_member_of` function called by the new in PostgreSQL 16 `check_role_membership_authorization` is expensive for our use case. REL_16_0: src/backend/commands/user.c:1562 ---8<------ (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); roleid = get_role_oid(rolename, false); check_role_membership_authorization(currentUserId, roleid, stmt->is_grant); if (stmt->is_grant) --->8------ While I can see the value in improvements on how ROLEs are being handled PostgreSQL 16 onward, I'm curious what would help for setups that has thousands of ROLEs like us outside of patching the source code? -
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Dominique Devienne <ddevienne@gmail.com> — 2024-03-21T07:59:29Z
On Thu, Mar 21, 2024 at 8:10 AM alex work <alexwork033@gmail.com> wrote: > We encounter slow `GRANT ROLES` only on PostgreSQL 16 instances up to 42 > seconds > in production, the client process at PostgresSQL would use 100% of the > CPU. [...] > Using ROLE `acc`, grant `d_` ROLE to a session ROLE: > real 0m7.579s [...] PostgreSQL 15 > Using ROLE `acc`, grant `d_` ROLE to a session ROLE: > real 0m0.077s > Ouch, that's a ~ 100x regression. Thanks for the write-up, that's worrying. We don't have as many ROLEs, but we do have plenty, so this is worrying. On top of the v16 ROLE changes breaking on ROLE logic, which was fine prior (v12-v15). We've paused for now our planned v16 upgrade, until we have more time to adapt. Like you, I welcome the changes. But it turns out more expensive to adapt to them. And your report certainly makes me wonder whether we should hold off until that perf regression is addressed. Thanks, --DD
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-21T16:07:36Z
[ redirecting to -hackers ] alex work <alexwork033@gmail.com> writes: > We encounter slow `GRANT ROLES` only on PostgreSQL 16 instances up to 42 seconds > in production, the client process at PostgresSQL would use 100% of the CPU. > Which is a surprise compared to other instances running older PostgreSQL > releases. On production we have a *LOT* of ROLEs, which unfortunately a case > that we did not test before switching the new servers into production mode. I poked into this a bit. It seems the problem is that as of v16, we try to search for the "best" role membership path from the current user to the target role, and that's done in a very brute-force way, as a side effect of computing the set of *all* role memberships the current role has. In the given case, we could have skipped all that if we simply tested whether the current role is directly a member of the target: it is, so there can't be any shorter path. But in any case roles_is_member_of has horrid performance when the current role is a member of a lot of roles. It looks like part of the blame might be ascribable to catcache.c, as if you look at the problem microscopically you find that roles_is_member_of is causing catcache to make a ton of AUTHMEMMEMROLE catcache lists, and SearchSysCacheList is just iterating linearly through the cache's list-of-lists, so that search is where the O(N^2) time is actually getting taken. Up to now that code has assumed that any one catcache would not have very many catcache lists. Maybe it's time to make that smarter; but since we've gotten away with this implementation for decades, I can't help feeling that the real issue is with roles_is_member_of's usage pattern. For self-containedness, attached is a directly usable shell script to reproduce the problem. The complaint is that the last GRANT takes multiple seconds (about 5s on my machine), rather than milliseconds. regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-21T17:00:39Z
I wrote: > I poked into this a bit. It seems the problem is that as of v16, we > try to search for the "best" role membership path from the current > user to the target role, and that's done in a very brute-force way, > as a side effect of computing the set of *all* role memberships the > current role has. Actually, roles_is_member_of sucks before v16 too; the new thing is only that it's being invoked during GRANT ROLE. Using the roles created by the given test case, I see in v15: $ psql psql (15.6) Type "help" for help. regression=# drop table at; DROP TABLE regression=# set role a_0010308; SET regression=> create table at(f1 int); CREATE TABLE regression=> \timing Timing is on. regression=> set role acc; SET Time: 0.493 ms regression=> insert into at values(1); INSERT 0 1 Time: 3565.029 ms (00:03.565) regression=> insert into at values(1); INSERT 0 1 Time: 2.308 ms So it takes ~3.5s to populate the roles_is_member_of cache for "acc" given this membership set. This is actually considerably worse than in v16 or HEAD, where the same test takes about 1.6s for me. Apparently the OP has designed their use-case so that they dodge these implementation problems in v15 and earlier, but that's a far cry from saying that there were no problems with lots-o-roles before v16. regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Wolfgang Walther <walther@technowledgy.de> — 2024-03-21T18:47:17Z
Tom Lane: > Actually, roles_is_member_of sucks before v16 too; the new thing > is only that it's being invoked during GRANT ROLE. Using the > roles created by the given test case, I see in v15: > > [...] > So it takes ~3.5s to populate the roles_is_member_of cache for "acc" > given this membership set. This is actually considerably worse than > in v16 or HEAD, where the same test takes about 1.6s for me. Ah, this reminds me that I hit the same problem about a year ago, but haven't had the time to put together a test-case, yet. In my case, it's like this: - I have one role "authenticator" with which the application (PostgREST) connects to the database. - This role has been granted all of the actual user roles and will then do a SET ROLE for each authenticated request it handles. - In my case that's currently about 120k roles granted to "authenticator", back then it was probably around 60k. - The first request (SET ROLE) for each session took between 5 and 10 *minutes* to succeed - subsequent requests were instant. - When the "authenticator" role is made SUPERUSER, the first request is instant, too. I guess this matches exactly what you are observing. There is one more thing that is actually even worse, though: When you try to cancel the query or terminate the backend while the SET ROLE is still running, this will not work. It will not only not cancel the query, but somehow leave the process for that backend in some kind of zombie state that is impossible to recover from. All of this was v15. Best, Wolfgang
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-21T19:42:14Z
I wrote: > It looks like part of the blame might be ascribable to catcache.c, > as if you look at the problem microscopically you find that > roles_is_member_of is causing catcache to make a ton of AUTHMEMMEMROLE > catcache lists, and SearchSysCacheList is just iterating linearly > through the cache's list-of-lists, so that search is where the O(N^2) > time is actually getting taken. Up to now that code has assumed that > any one catcache would not have very many catcache lists. Maybe it's > time to make that smarter; but since we've gotten away with this > implementation for decades, I can't help feeling that the real issue > is with roles_is_member_of's usage pattern. I wrote a quick finger exercise to make catcache.c use a hash table instead of a single list for CatCLists, modeling it closely on the existing hash logic for simple catcache entries. This helps a good deal, but I still see the problematic GRANT taking ~250ms, compared to 5ms in v15. roles_is_member_of is clearly on the hook for that. regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-21T20:31:45Z
I wrote: > ... I still see the problematic GRANT taking ~250ms, compared > to 5ms in v15. roles_is_member_of is clearly on the hook for that. Ah: looks like that is mainly the fault of the list_append_unique_oid calls in roles_is_member_of. That's also an O(N^2) cost of course, though with a much smaller constant factor. I don't think we have any really cheap way to de-duplicate the role OIDs, especially seeing that it has to be done on-the-fly within the collection loop, and the order of roles_list is at least potentially interesting. Not sure how to make further progress without a lot of work. regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-21T20:40:12Z
On Thu, Mar 21, 2024 at 04:31:45PM -0400, Tom Lane wrote: > I wrote: >> ... I still see the problematic GRANT taking ~250ms, compared >> to 5ms in v15. roles_is_member_of is clearly on the hook for that. > > Ah: looks like that is mainly the fault of the list_append_unique_oid > calls in roles_is_member_of. That's also an O(N^2) cost of course, > though with a much smaller constant factor. > > I don't think we have any really cheap way to de-duplicate the role > OIDs, especially seeing that it has to be done on-the-fly within the > collection loop, and the order of roles_list is at least potentially > interesting. Not sure how to make further progress without a lot of > work. Assuming these are larger lists, this might benefit from optimizations involving SIMD intrinsics. I looked into that a while ago [0], but the effort was abandoned because we didn't have any concrete use-cases at the time. (I'm looking into some additional optimizations in a separate thread [1] that would likely apply here, too.) [0] https://postgr.es/m/20230308002502.GA3378449%40nathanxps13 [1] https://postgr.es/m/20240321183823.GA1800896%40nathanxps13 -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T00:51:39Z
On Thu, Mar 21, 2024 at 03:40:12PM -0500, Nathan Bossart wrote: > On Thu, Mar 21, 2024 at 04:31:45PM -0400, Tom Lane wrote: >> I don't think we have any really cheap way to de-duplicate the role >> OIDs, especially seeing that it has to be done on-the-fly within the >> collection loop, and the order of roles_list is at least potentially >> interesting. Not sure how to make further progress without a lot of >> work. > > Assuming these are larger lists, this might benefit from optimizations > involving SIMD intrinsics. I looked into that a while ago [0], but the > effort was abandoned because we didn't have any concrete use-cases at the > time. (I'm looking into some additional optimizations in a separate thread > [1] that would likely apply here, too.) Never mind. With the reproduction script, I'm only seeing a ~2% improvement with my patches. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-22T00:59:54Z
Nathan Bossart <nathandbossart@gmail.com> writes: > On Thu, Mar 21, 2024 at 03:40:12PM -0500, Nathan Bossart wrote: >> On Thu, Mar 21, 2024 at 04:31:45PM -0400, Tom Lane wrote: >>> I don't think we have any really cheap way to de-duplicate the role >>> OIDs, especially seeing that it has to be done on-the-fly within the >>> collection loop, and the order of roles_list is at least potentially >>> interesting. Not sure how to make further progress without a lot of >>> work. >> Assuming these are larger lists, this might benefit from optimizations >> involving SIMD intrinsics. > Never mind. With the reproduction script, I'm only seeing a ~2% > improvement with my patches. Yeah, you cannot beat an O(N^2) problem by throwing SIMD at it. However ... I just remembered that we have a Bloom filter implementation in core now (src/backend/lib/bloomfilter.c). How about using that to quickly reject (hopefully) most role OIDs, and only do the list_member_oid check if the filter passes? regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T01:03:32Z
On Thu, Mar 21, 2024 at 08:59:54PM -0400, Tom Lane wrote: > However ... I just remembered that we have a Bloom filter implementation > in core now (src/backend/lib/bloomfilter.c). How about using that > to quickly reject (hopefully) most role OIDs, and only do the > list_member_oid check if the filter passes? Seems worth a try. I've been looking for an excuse to use that... -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T01:52:51Z
On Thu, Mar 21, 2024 at 08:03:32PM -0500, Nathan Bossart wrote: > On Thu, Mar 21, 2024 at 08:59:54PM -0400, Tom Lane wrote: >> However ... I just remembered that we have a Bloom filter implementation >> in core now (src/backend/lib/bloomfilter.c). How about using that >> to quickly reject (hopefully) most role OIDs, and only do the >> list_member_oid check if the filter passes? > > Seems worth a try. I've been looking for an excuse to use that... The Bloom filter appears to help a bit, although it regresses the create-roles.sql portion of the test. I'm assuming that's thanks to all the extra pallocs and pfrees, which are probably avoidable if we store the filter in a long-lived context and just clear it at the beginning of each call to roles_is_member_of(). HEAD hash hash+bloom create 2.02 2.06 2.92 grant 4.63 0.27 0.08 -- Nathan Bossart Amazon Web Services: https://aws.amazon.com -
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
alex work <alexwork033@gmail.com> — 2024-03-22T02:02:57Z
First of all thank you for looking into this. At the moment we workaround the problem by altering `acc` ROLE into a SUPERUSER in PostgreSQL 16 instances. It sidestep the problem and having the lowest cost to implement for us. While at first we think this feels like opening a security hole, it does not introduce side effects for **our use case** by the way our application make use of this `acc` ROLE. Of course we cannot recommend the workaround we took to others having similar situation. On Fri, Mar 22, 2024 at 7:59 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Nathan Bossart <nathandbossart@gmail.com> writes: > > On Thu, Mar 21, 2024 at 03:40:12PM -0500, Nathan Bossart wrote: > >> On Thu, Mar 21, 2024 at 04:31:45PM -0400, Tom Lane wrote: > >>> I don't think we have any really cheap way to de-duplicate the role > >>> OIDs, especially seeing that it has to be done on-the-fly within the > >>> collection loop, and the order of roles_list is at least potentially > >>> interesting. Not sure how to make further progress without a lot of > >>> work. > > >> Assuming these are larger lists, this might benefit from optimizations > >> involving SIMD intrinsics. > > > Never mind. With the reproduction script, I'm only seeing a ~2% > > improvement with my patches. > > Yeah, you cannot beat an O(N^2) problem by throwing SIMD at it. > > However ... I just remembered that we have a Bloom filter implementation > in core now (src/backend/lib/bloomfilter.c). How about using that > to quickly reject (hopefully) most role OIDs, and only do the > list_member_oid check if the filter passes? > > regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-22T02:07:19Z
Nathan Bossart <nathandbossart@gmail.com> writes: > The Bloom filter appears to help a bit, although it regresses the > create-roles.sql portion of the test. I'm assuming that's thanks to all > the extra pallocs and pfrees, which are probably avoidable if we store the > filter in a long-lived context and just clear it at the beginning of each > call to roles_is_member_of(). The zero-fill to reinitialize the filter probably costs a good deal all by itself, considering we're talking about at least a megabyte. Maybe a better idea is to not enable the filter till we're dealing with at least 1000 or so entries in roles_list, though obviously that will complicate the logic. + if (bloom_lacks_element(bf, (unsigned char *) &otherid, sizeof(Oid))) + roles_list = lappend_oid(roles_list, otherid); + else + roles_list = list_append_unique_oid(roles_list, otherid); + bloom_add_element(bf, (unsigned char *) &otherid, sizeof(Oid)); Hmm, I was imagining something more like if (bloom_lacks_element(bf, (unsigned char *) &otherid, sizeof(Oid)) || !list_member_oid(roles_list, otherid)) { roles_list = lappend_oid(roles_list, otherid); bloom_add_element(bf, (unsigned char *) &otherid, sizeof(Oid)); } to avoid duplicate bloom_add_element calls. Probably wouldn't move the needle much in this specific test case, but this formulation would simplify letting the filter kick in later. Very roughly, if ((bf && bloom_lacks_element(bf, (unsigned char *) &otherid, sizeof(Oid))) || !list_member_oid(roles_list, otherid)) { if (bf == NULL && list_length(roles_list) > 1000) { ... create bf and populate with existing list entries } roles_list = lappend_oid(roles_list, otherid); if (bf) bloom_add_element(bf, (unsigned char *) &otherid, sizeof(Oid)); } regards, tom lane -
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T14:47:39Z
On Thu, Mar 21, 2024 at 08:59:54PM -0400, Tom Lane wrote: > Nathan Bossart <nathandbossart@gmail.com> writes: >> On Thu, Mar 21, 2024 at 03:40:12PM -0500, Nathan Bossart wrote: >>> On Thu, Mar 21, 2024 at 04:31:45PM -0400, Tom Lane wrote: >>>> I don't think we have any really cheap way to de-duplicate the role >>>> OIDs, especially seeing that it has to be done on-the-fly within the >>>> collection loop, and the order of roles_list is at least potentially >>>> interesting. Not sure how to make further progress without a lot of >>>> work. > >>> Assuming these are larger lists, this might benefit from optimizations >>> involving SIMD intrinsics. > >> Never mind. With the reproduction script, I'm only seeing a ~2% >> improvement with my patches. > > Yeah, you cannot beat an O(N^2) problem by throwing SIMD at it. I apparently had some sort of major brain fade when I did this because I didn't apply your hashing patch when I ran this SIMD test. With it applied, I see a speedup of ~39%, which makes a whole lot more sense to me. If I add the Bloom patch (updated with your suggestions), I get another ~73% improvement from there, and a much smaller regression in the role creation portion. hash hash+simd hash+simd+bloom create 1.27 1.27 1.28 grant 0.18 0.11 0.03 -- Nathan Bossart Amazon Web Services: https://aws.amazon.com -
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T14:55:32Z
On Fri, Mar 22, 2024 at 09:47:39AM -0500, Nathan Bossart wrote: > hash hash+simd hash+simd+bloom > create 1.27 1.27 1.28 > grant 0.18 0.11 0.03 For just hash+bloom, I'm seeing 1.29 and 0.04. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-22T15:27:46Z
Nathan Bossart <nathandbossart@gmail.com> writes: > On Fri, Mar 22, 2024 at 09:47:39AM -0500, Nathan Bossart wrote: >> hash hash+simd hash+simd+bloom >> create 1.27 1.27 1.28 >> grant 0.18 0.11 0.03 > For just hash+bloom, I'm seeing 1.29 and 0.04. Yeah, that's about what I'd expect: hash+bloom ought to remove most (not quite all) of the opportunity for simd to shine, because the bloom filter should eliminate most of the list_member_oid calls. Possibly we could fix that small regression in the create phase with more careful tuning of the magic constants in the bloom logic? Although I'd kind of expect that the create step doesn't ever invoke the bloom filter, else it would have been showing a performance problem before; so this might not be a good test case for helping us tune those. I think remaining questions are: * Is there any case where the new hash catcache logic could lose measurably? I kind of doubt it, because we were already computing the hash value for list searches; so basically the only overhead is one more palloc per cache during the first list search. (If you accumulate enough lists to cause a rehash, you're almost surely well into winning territory.) * Same question for the bloom logic, but here I think it's mostly a matter of tuning those constants. * Do we want to risk back-patching any of this, to fix the performance regression in v16? I think that the OP's situation is a pretty narrow one, but maybe he's not the only person who managed to dodge roles_is_member_of's performance issues in most other cases. regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T16:39:52Z
On Fri, Mar 22, 2024 at 11:27:46AM -0400, Tom Lane wrote: > Yeah, that's about what I'd expect: hash+bloom ought to remove > most (not quite all) of the opportunity for simd to shine, because > the bloom filter should eliminate most of the list_member_oid calls. Right. IMHO the SIMD work is still worth considering because there are probably even more extreme cases where it'll make a decent amount of difference. Plus, that stuff is pretty low overhead for what you get in return. That being said, the hash table and Bloom filter should definitely be the higher priority. > * Same question for the bloom logic, but here I think it's mostly > a matter of tuning those constants. I suspect there might be some regressions just after the point where we construct the filter, but I'd still expect that to be a reasonable trade-off. We could probably pretty easily construct some benchmarks to understand the impact with a given number of roles. (I'm not sure I'll be able to get to that today.) > * Do we want to risk back-patching any of this, to fix the performance > regression in v16? I think that the OP's situation is a pretty > narrow one, but maybe he's not the only person who managed to dodge > roles_is_member_of's performance issues in most other cases. I've heard complaints about performance with many roles before, so I certainly think this area is worth optimizing. As far as back-patching goes, my current feeling is that the hash table is probably pretty safe and provides the majority of the benefit, but anything fancier should probably be reserved for v17 or v18. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-22T16:53:15Z
Nathan Bossart <nathandbossart@gmail.com> writes: > On Fri, Mar 22, 2024 at 11:27:46AM -0400, Tom Lane wrote: >> * Do we want to risk back-patching any of this, to fix the performance >> regression in v16? I think that the OP's situation is a pretty >> narrow one, but maybe he's not the only person who managed to dodge >> roles_is_member_of's performance issues in most other cases. > I've heard complaints about performance with many roles before, so I > certainly think this area is worth optimizing. As far as back-patching > goes, my current feeling is that the hash table is probably pretty safe and > provides the majority of the benefit, but anything fancier should probably > be reserved for v17 or v18. Yeah. Although both the catcache and list_append_unique_oid bits are O(N^2), the catcache seems to have a much bigger constant factor --- when I did a "perf" check on the unpatched code, I saw catcache eating over 90% of the runtime and list_member_oid about 2%. So let's fix that part in v16 and call it a day. It should be safe to back-patch the catcache changes as long as we put the new fields at the end of the struct and leave cc_lists present but empty. Would you like to review the catcache patch further, or do you think it's good to go? regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T16:54:48Z
On Fri, Mar 22, 2024 at 12:53:15PM -0400, Tom Lane wrote: > Would you like to review the catcache patch further, or do you > think it's good to go? I'll take another look this afternoon. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-22T19:35:06Z
On Fri, Mar 22, 2024 at 11:54:48AM -0500, Nathan Bossart wrote: > On Fri, Mar 22, 2024 at 12:53:15PM -0400, Tom Lane wrote: >> Would you like to review the catcache patch further, or do you >> think it's good to go? > > I'll take another look this afternoon. LGTM -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-22T20:41:49Z
Nathan Bossart <nathandbossart@gmail.com> writes: > On Fri, Mar 22, 2024 at 11:54:48AM -0500, Nathan Bossart wrote: >> On Fri, Mar 22, 2024 at 12:53:15PM -0400, Tom Lane wrote: >>> Would you like to review the catcache patch further, or do you >>> think it's good to go? >> I'll take another look this afternoon. > LGTM Thanks for looking, I'll push that shortly. regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-25T14:47:43Z
On Fri, Mar 22, 2024 at 04:41:49PM -0400, Tom Lane wrote: > Nathan Bossart <nathandbossart@gmail.com> writes: >> LGTM > > Thanks for looking, I'll push that shortly. Are there any changes you'd like to see for the Bloom patch [0]? I'd like to see about getting that committed for v17. One thing that crossed my mind is creating a combined list/filter that transparently created a filter when necessary (for reuse elsewhere), but I'm not sure that's v17 material. [0] https://postgr.es/m/attachment/158079/bloom_v2.patch -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-25T15:08:39Z
Nathan Bossart <nathandbossart@gmail.com> writes: > Are there any changes you'd like to see for the Bloom patch [0]? I'd like > to see about getting that committed for v17. One thing that crossed my > mind is creating a combined list/filter that transparently created a filter > when necessary (for reuse elsewhere), but I'm not sure that's v17 material. Yeah, that thought occurred to me too, but I think we ought to have a few more use-cases in view before trying to write an API. As for the patch, I agree it could go into v17, but I think there is still a little bit of work to do: * The magic constants (crossover list length and bloom filter size) need some testing to see if there are better values. They should probably be made into named #defines, too. I suspect, with little proof, that the bloom filter size isn't particularly critical --- but I know we pulled the crossover of 1000 out of thin air, and I have no certainty that it's even within an order of magnitude of being a good choice. * Code needs more than zero comments. * Is it worth trying to make a subroutine, or at least a macro, so as not to have 2 copies of the code? regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-25T15:16:47Z
On Mon, Mar 25, 2024 at 11:08:39AM -0400, Tom Lane wrote: > * The magic constants (crossover list length and bloom filter size) > need some testing to see if there are better values. They should > probably be made into named #defines, too. I suspect, with little > proof, that the bloom filter size isn't particularly critical --- but > I know we pulled the crossover of 1000 out of thin air, and I have > no certainty that it's even within an order of magnitude of being a > good choice. I'll try to construct a couple of tests to see if we can determine a proper order of magnitude. > * Code needs more than zero comments. Yup. > * Is it worth trying to make a subroutine, or at least a macro, > so as not to have 2 copies of the code? I think so. I'll try that in the next version. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-26T16:59:18Z
Here is a new version of the patch that I feel is in decent shape. On Mon, Mar 25, 2024 at 10:16:47AM -0500, Nathan Bossart wrote: > On Mon, Mar 25, 2024 at 11:08:39AM -0400, Tom Lane wrote: >> * The magic constants (crossover list length and bloom filter size) >> need some testing to see if there are better values. They should >> probably be made into named #defines, too. I suspect, with little >> proof, that the bloom filter size isn't particularly critical --- but >> I know we pulled the crossover of 1000 out of thin air, and I have >> no certainty that it's even within an order of magnitude of being a >> good choice. > > I'll try to construct a couple of tests to see if we can determine a proper > order of magnitude. I spent some time trying to get some ballpark figures but have thus far been unsuccessful. Even if I was able to get good numbers, I'm not sure how much they'd help us, as we'll still need to decide how much overhead we are willing to take in comparison to the linear search. I don't think ~1000 is an unreasonable starting point, as it seems generally more likely that you will have many more roles to process at that point than if the threshold was, say, 100. And if the threshold is too high (e.g., 10,000), this optimization will only kick in for the most extreme cases, so we'd likely be leaving a lot on the table. But, I will be the first to admit that my reasoning here is pretty unscientific, and I'm open to suggestions for how to make it less so. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-26T18:16:03Z
Nathan Bossart <nathandbossart@gmail.com> writes: > I spent some time trying to get some ballpark figures but have thus far > been unsuccessful. Even if I was able to get good numbers, I'm not sure > how much they'd help us, as we'll still need to decide how much overhead we > are willing to take in comparison to the linear search. I don't think > ~1000 is an unreasonable starting point, as it seems generally more likely > that you will have many more roles to process at that point than if the > threshold was, say, 100. And if the threshold is too high (e.g., 10,000), > this optimization will only kick in for the most extreme cases, so we'd > likely be leaving a lot on the table. But, I will be the first to admit > that my reasoning here is pretty unscientific, and I'm open to suggestions > for how to make it less so. I did a little experimentation using the attached quick-hack C function, and came to the conclusion that setting up the bloom filter costs more or less as much as inserting 1000 or so OIDs the dumb way. So we definitely want a threshold that's not much less than that. For example, with ROLES_LIST_BLOOM_THRESHOLD = 100 I saw: regression=# select drive_bloom(100, 10, 100000); drive_bloom ------------- (1 row) Time: 319.931 ms regression=# select drive_bloom(101, 10, 100000); drive_bloom ------------- (1 row) Time: 319.385 ms regression=# select drive_bloom(102, 10, 100000); drive_bloom ------------- (1 row) Time: 9904.786 ms (00:09.905) That's a pretty big jump in context. With the threshold set to 1024, regression=# select drive_bloom(1024, 10, 100000); drive_bloom ------------- (1 row) Time: 14597.510 ms (00:14.598) regression=# select drive_bloom(1025, 10, 100000); drive_bloom ------------- (1 row) Time: 14589.197 ms (00:14.589) regression=# select drive_bloom(1026, 10, 100000); drive_bloom ------------- (1 row) Time: 25947.000 ms (00:25.947) regression=# select drive_bloom(1027, 10, 100000); drive_bloom ------------- (1 row) Time: 25399.718 ms (00:25.400) regression=# select drive_bloom(2048, 10, 100000); drive_bloom ------------- (1 row) Time: 33809.536 ms (00:33.810) So I'm now content with choosing a threshold of 1000 or 1024 or so. As for the bloom filter size, I see that bloom_create does bitset_bytes = Min(bloom_work_mem * UINT64CONST(1024), total_elems * 2); bitset_bytes = Max(1024 * 1024, bitset_bytes); which means that any total_elems input less than 512K is disregarded altogether. So I'm not sold on your "ROLES_LIST_BLOOM_THRESHOLD * 10" value. Maybe it doesn't matter though. I do not like, even a little bit, your use of a static variable to hold the bloom filter pointer. That code will misbehave horribly if we throw an error partway through the role-accumulation loop; the next call will try to carry on using the old filter, which would be wrong even if it still existed which it likely won't. It's not that much worse notationally to keep it as a local variable, as I did in the attached. regards, tom lane
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-26T18:48:19Z
On Tue, Mar 26, 2024 at 02:16:03PM -0400, Tom Lane wrote: > I did a little experimentation using the attached quick-hack C > function, and came to the conclusion that setting up the bloom filter > costs more or less as much as inserting 1000 or so OIDs the dumb way. > So we definitely want a threshold that's not much less than that. Thanks for doing this. > So I'm now content with choosing a threshold of 1000 or 1024 or so. Cool. > As for the bloom filter size, I see that bloom_create does > > bitset_bytes = Min(bloom_work_mem * UINT64CONST(1024), total_elems * 2); > bitset_bytes = Max(1024 * 1024, bitset_bytes); > > which means that any total_elems input less than 512K is disregarded > altogether. So I'm not sold on your "ROLES_LIST_BLOOM_THRESHOLD * 10" > value. Maybe it doesn't matter though. Yeah, I wasn't sure how much to worry about this. I figured that we might as well set it to a reasonable estimate based on the description of the parameter. This description claims that the filter should work well if this is off by a factor of 5 or more, and 50x the threshold sounded like it ought to be good enough for anyone, so that's how I landed on 10x. But as you point out, this value will be disregarded altogether, and it will continue to be ignored unless the filter implementation changes, which seems unlikely. If you have a different value in mind that you would rather use, I'm fine with changing it. > I do not like, even a little bit, your use of a static variable to > hold the bloom filter pointer. That code will misbehave horribly > if we throw an error partway through the role-accumulation loop; > the next call will try to carry on using the old filter, which would > be wrong even if it still existed which it likely won't. It's not > that much worse notationally to keep it as a local variable, as I > did in the attached. Ah, yes, that's no good. I fixed this in the new version. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
-
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Tom Lane <tgl@sss.pgh.pa.us> — 2024-03-26T19:08:00Z
Nathan Bossart <nathandbossart@gmail.com> writes: > On Tue, Mar 26, 2024 at 02:16:03PM -0400, Tom Lane wrote: >> ... I'm not sold on your "ROLES_LIST_BLOOM_THRESHOLD * 10" >> value. Maybe it doesn't matter though. > Yeah, I wasn't sure how much to worry about this. I figured that we might > as well set it to a reasonable estimate based on the description of the > parameter. This description claims that the filter should work well if > this is off by a factor of 5 or more, and 50x the threshold sounded like it > ought to be good enough for anyone, so that's how I landed on 10x. But as > you point out, this value will be disregarded altogether, and it will > continue to be ignored unless the filter implementation changes, which > seems unlikely. If you have a different value in mind that you would > rather use, I'm fine with changing it. No, I have no better idea. As you say, we should try to provide some semi-reasonable number in case bloom_create ever starts paying attention, and this one seems fine. >> I do not like, even a little bit, your use of a static variable to >> hold the bloom filter pointer. > Ah, yes, that's no good. I fixed this in the new version. My one remaining suggestion is that this comment isn't very precise about what's happening: * If there is a previously-created Bloom filter, use it to determine * whether the role is missing from the list. Otherwise, do an ordinary * linear search through the existing role list. Maybe more like * If there is a previously-created Bloom filter, use it to try to * determine whether the role is missing from the list. If it * says yes, that's a hard fact and we can go ahead and add the * role. If it says no, that's only probabilistic and we'd better * search the list. Without a filter, we must always do an ordinary * linear search through the existing list. LGTM other than that nit. regards, tom lane -
Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs
Nathan Bossart <nathandbossart@gmail.com> — 2024-03-26T19:49:25Z
On Tue, Mar 26, 2024 at 03:08:00PM -0400, Tom Lane wrote: > My one remaining suggestion is that this comment isn't very precise > about what's happening: > > * If there is a previously-created Bloom filter, use it to determine > * whether the role is missing from the list. Otherwise, do an ordinary > * linear search through the existing role list. > > Maybe more like > > * If there is a previously-created Bloom filter, use it to try to > * determine whether the role is missing from the list. If it > * says yes, that's a hard fact and we can go ahead and add the > * role. If it says no, that's only probabilistic and we'd better > * search the list. Without a filter, we must always do an ordinary > * linear search through the existing list. > > LGTM other than that nit. Committed with that change. Thanks for the guidance on this one. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com