Skip to content

chore: Optimize parial rego execution byte allocations #6144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Feb 10, 2023
Merged

chore: Optimize parial rego execution byte allocations #6144

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
647651e
chore: Implement benchmark for authorizer.Prepare
Emyrk Feb 9, 2023
816a889
Merge remote-tracking branch 'origin/main' into stevenmasley/rego_pre…
Emyrk Feb 9, 2023
891ecc5
Pre-parse all rego inputs to partial execution
Emyrk Feb 9, 2023
46f9a84
Prepare in the same place as the normal rego policy
Emyrk Feb 9, 2023
8420094
Fix benchmark to match objects
Emyrk Feb 9, 2023
0ef4b5c
Rule index org allow expansion
Emyrk Feb 9, 2023
402e31f
Revert "Rule index org allow expansion"
Emyrk Feb 9, 2023
fd29978
Correct unit test json logs
Emyrk Feb 9, 2023
62875c6
Remove unused file
Emyrk Feb 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Pre-parse all rego inputs to partial execution
  • Loading branch information
@Emyrk
Emyrk committed Feb 9, 2023
commit 891ecc50b84d3b146e117dffef309a305ab97ed0
29 changes: 20 additions & 9 deletions coderd/rbac/partial.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,23 @@ EachQueryLoop:
pa.subjectInput, pa.subjectAction, pa.subjectResourceType, nil)
}

// Precompiled values to be reused for each Prepare call.
// These values are static and do not change.
var (
// unknownTerms are the unknown values in the rego input.
// These values are pre-parsed to prevent reparsing on every Prepare call.
unknownTerms = []*ast.Term{
ast.MustParseTerm("input.object.id"),
ast.MustParseTerm("input.object.owner"),
ast.MustParseTerm("input.object.org_owner"),
ast.MustParseTerm("input.object.acl_user_list"),
ast.MustParseTerm("input.object.acl_group_list"),
}

partialQuery = ast.MustParseBody("data.authz.allow = true")
policyModule = ast.MustParseModule(policy)
)

func newPartialAuthorizer(ctx context.Context, subject Subject, action Action, objectType string) (*PartialAuthorizer, error) {
if subject.Roles == nil {
return nil, xerrors.Errorf("subject must have roles")
Expand All @@ -143,15 +160,9 @@ func newPartialAuthorizer(ctx context.Context, subject Subject, action Action, o
// Run the rego policy with a few unknown fields. This should simplify our
// policy to a set of queries.
partialQueries, err := rego.New(
rego.Query("data.authz.allow = true"),
rego.Module("policy.rego", policy),
rego.Unknowns([]string{
"input.object.id",
"input.object.owner",
"input.object.org_owner",
"input.object.acl_user_list",
"input.object.acl_group_list",
}),
rego.ParsedQuery(partialQuery),
rego.ParsedModule(policyModule),
rego.ParsedUnknowns(unknownTerms),
rego.ParsedInput(input),
).Partial(ctx)
if err != nil {
Expand Down