Skip to content

chore: add global caching to rbac #7439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
May 8, 2023
Merged

chore: add global caching to rbac #7439

merged 11 commits into from
May 8, 2023

Conversation

ammario
Copy link
Member

@ammario ammario commented May 5, 2023
edited
Loading

I'm assuming all calls to Authorize are pure in this implementation.

@ammario
Copy link
Member Author

ammario commented May 5, 2023

thoughts on this approach @Emyrk?

@ammario ammario linked an issue May 5, 2023 that may be closed by this pull request
OPA is CPU inefficient #7438
Closed
Emyrk
Emyrk reviewed May 5, 2023
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not opposed to this. I'm curious what kind of savings this would yield. We should not use the full json payload as a key though.

The caching per request was intentional as a single request often does the same rbac check a lot. Example is fetching a workspace. You have to fetch the workspace build and the provisioner job, which all do the same rbac check on the workspace.

Going global means that we might lose this savings per request if we get more than the 4096 requests in the same time of a single request. Probably unlikely? So it's probably ok?

Just something to think about. Since the per request cache will guarantee duplicate hits. Might be overkill to have both a per request cache and global cache.

coderd/rbac/authz.go Outdated
Comment on lines 638 to 640
_ = enc.Encode(subject)
_ = enc.Encode(action)
_ = enc.Encode(object)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unfortunate. The json payload is quite large, and that being a key would be even more verbose.

It would be better to "hash" the fields somehow to reduce this.

I intentionally made the file astvalue.go to avoid json.Marshalling this data when going to the rego evaluator.

We can use the role name for the hash and ignore the permissions. Whatever "hash" function we create will be faster than a json.Marshal I bet.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main thing is to make sure the unique hash would be changed if the user changes roles/groups. Lmk if you want me to write this, I can get you a much smaller key.

@ammario
Copy link
Member Author

ammario commented May 5, 2023

@Emyrk — I have a benchmark that is just calling /users/me and the cache is taking us from 3.3ms/req to 0.7ms/req, so quite significant. I agree that hashing the key is a good idea, and since that would reduce storage overhead, I think we can just make the cache really big, like 64k entries.

@Emyrk
Copy link
Member

Emyrk commented May 5, 2023

From a correctness POV, as long as our unique key contains all the information required to match a unique RBAC check, then it will be correct in all future calls too.

So this can work for sure 👍.

@ammario
Copy link
Member Author

ammario commented May 5, 2023

@Emyrk very happy to hear that :)

@Emyrk
Copy link
Member

Emyrk commented May 5, 2023

@ammario If we go to 64k, then I have no issues with dropping the request cache. Can I write a hash function and commit it to this branch?

@ammario
Copy link
Member Author

ammario commented May 5, 2023

@Emyrk go for it

Emyrk and others added 5 commits May 5, 2023 14:19
@Emyrk
chore: Add ability to hash an authorizationc all to a unqiue hash key.
adc07b0 
This is useful for caching purposes.
Order matters for the hash key for slices, so a slice with
the same elements in a different order is a different hash key.
Athlough they are functionally equivalent, our slices have deterministic
orders in the database, so our subjects/objects will match.
There is no need to spend the time or memory to sort these lists.
@Emyrk
Remove import
92a33c3
@ammario
Do not record authorization calls in benchmarks
aaa736a
@ammario
ignore .test binaries
b5510a8
@ammario
pass lint
8d20a4e
@ammario ammario marked this pull request as ready for review May 5, 2023 19:42
@ammario ammario enabled auto-merge (squash) May 5, 2023 20:34
@ammario ammario requested a review from Emyrk May 5, 2023 20:34
@ammario ammario mentioned this pull request May 7, 2023
Closed
Emyrk
Emyrk approved these changes May 8, 2023
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@ammario ammario merged commit 8899dd8 into main May 8, 2023
@ammario ammario deleted the rbac-global-cache branch May 8, 2023 13:59
@github-actions github-actions bot locked and limited conversation to collaborators May 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@ammario ammario

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OPA is CPU inefficient
2 participants
@ammario @Emyrk