pre-compute password denylist Bloom filter to speed up server startup

Fixes #47356 Signed-off-by: Faseela K <faseela.k@est.tech>
2026-05-26 13:50:48 +00:00 · 2026-05-07 16:01:12 +02:00
parent 8e808ca15f
commit 26c2a9e3ed
8 changed files with 325 additions and 22 deletions
@@ -153,6 +153,28 @@ The current implementation uses a BloomFilter for fast and memory efficient cont
 * By default a false positive probability of `0.01%` is used.
 * To change the false positive probability by CLI configuration, use `+--spi-password-policy--password-blacklist--false-positive-probability=0.00001+`.

+.Pre-computing the Bloom filter
+
+For large denylist files, {project_name} builds the Bloom filter from the plaintext file on every startup or reload, which can take several seconds.
+To reduce load time to milliseconds, pre-compute the Bloom filter once using the `build-password-denylist` CLI command:
+
+[source,bash]
+----
+bin/kc.sh tools build-password-denylist /path/to/100k_passwords
+----
+
+This generates a `100k_passwords.bloom` file next to the input file.
+Place it in the password-blacklists folder and configure the realm password policy to use the `.bloom` filename (for example, `100k_passwords.bloom`) instead of the plaintext file.
+{project_name} detects the file type by extension: files ending in `.bloom` are loaded as pre-computed Bloom filter binaries; all other files are read as plaintext.
+Re-run the command and update the policy value each time the denylist is updated.
+
+You can also control the false positive probability for the pre-computed filter:
+
+[source,bash]
+----
+bin/kc.sh tools build-password-denylist /path/to/100k_passwords --fpp 0.00001
+----
+
 [[maximum-authentication-age]]
 ===== Maximum Authentication Age