Skip to content

chore: Drop resource_id support in rbac system #3426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 9, 2022
Merged

chore: Drop resource_id support in rbac system #3426

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
44423b3
chore: Drop resource_id support in rbac system
Emyrk Aug 9, 2022
1f7d5d3
Handle assigning/removing roles
Emyrk Aug 9, 2022
0376027
Update assign user roles test
Emyrk Aug 9, 2022
ea41968
Return after forbidden
Emyrk Aug 9, 2022
7a06b27
Merge remote-tracking branch 'origin/main' into stevenmasley/rbac_no_ids
Emyrk Aug 9, 2022
186bfc1
Add benchmark for Filter
Emyrk Aug 9, 2022
64a7d12
Drop comments that are no longer relevent
Emyrk Aug 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add benchmark for Filter
  • Loading branch information
@Emyrk
Emyrk committed Aug 9, 2022
commit 186bfc104db69a60b80ca33d6b0068599dc119be
81 changes: 81 additions & 0 deletions coderd/rbac/builtin_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,87 @@ import (
"github.com/coder/coder/coderd/rbac"
)

// BenchmarkRBACFilter benchmarks the rbac.Filter method.
// go test -bench BenchmarkRBACFilter -benchmem -memprofile memprofile.out -cpuprofile profile.out
func BenchmarkRBACFilter(b *testing.B) {
orgs := []uuid.UUID{
uuid.MustParse("bf7b72bd-a2b1-4ef2-962c-1d698e0483f6"),
uuid.MustParse("e4660c6f-b9de-422d-9578-cd888983a795"),
uuid.MustParse("fb13d477-06f4-42d9-b957-f6b89bd63515"),
}

users := []uuid.UUID{
uuid.MustParse("10d03e62-7703-4df5-a358-4f76577d4e2f"),
uuid.MustParse("4ca78b1d-f2d2-4168-9d76-cd93b51c6c1e"),
uuid.MustParse("0632b012-49e0-4d70-a5b3-f4398f1dcd52"),
uuid.MustParse("70dbaa7a-ea9c-4f68-a781-97b08af8461d"),
}

benchCases := []struct {
Name string
Roles []string
UserID uuid.UUID
}{
{
Name: "NoRoles",
Roles: []string{},
UserID: users[0],
},
{
Name: "Admin",
// Give some extra roles that an admin might have
Roles: []string{rbac.RoleOrgMember(orgs[0]), "auditor", rbac.RoleAdmin(), rbac.RoleMember()},
UserID: users[0],
},
{
Name: "OrgAdmin",
Roles: []string{rbac.RoleOrgMember(orgs[0]), rbac.RoleOrgAdmin(orgs[0]), rbac.RoleMember()},
UserID: users[0],
},
{
Name: "OrgMember",
// Member of 2 orgs
Roles: []string{rbac.RoleOrgMember(orgs[0]), rbac.RoleOrgMember(orgs[1]), rbac.RoleMember()},
UserID: users[0],
},
{
Name: "ManyRoles",
// Admin of many orgs
Roles: []string{
rbac.RoleOrgMember(orgs[0]), rbac.RoleOrgAdmin(orgs[0]),
rbac.RoleOrgMember(orgs[1]), rbac.RoleOrgAdmin(orgs[1]),
rbac.RoleOrgMember(orgs[2]), rbac.RoleOrgAdmin(orgs[2]),
rbac.RoleMember()},
UserID: users[0],
},
}

authorizer, err := rbac.NewAuthorizer()
if err != nil {
require.NoError(b, err)
}
for _, c := range benchCases {
b.Run(c.Name, func(b *testing.B) {
objects := benchmarkSetup(orgs, users, b.N)
b.ResetTimer()
allowed := rbac.Filter(context.Background(), authorizer, c.UserID.String(), c.Roles, rbac.ActionRead, objects)
var _ = allowed
})
}
}

func benchmarkSetup(orgs []uuid.UUID, users []uuid.UUID, size int) []rbac.Object {
// Create a "random" but deterministic set of objects.
objectList := make([]rbac.Object, size)
for i := range objectList {
objectList[i] = rbac.ResourceWorkspace.
InOrg(orgs[i%len(orgs)]).
WithOwner(users[i%len(users)].String())
}

return objectList
}

type authSubject struct {
// Name is helpful for test assertions
Name string
Expand Down