envoyproxy/envoy

rbac: principals evaluation performance

Open

#12.285 aperta il 24 lug 2020

Vedi su GitHub
 (8 commenti) (0 reazioni) (0 assegnatari)C++ (5373 fork)batch import
area/perfarea/rbachelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

We want to evaluate RBAC policies and we have 1.3k "principals", users we want to allow, extracted nowadays via jwt_authn metadata, and these users can vary form endpoints allowed. The actual performance of RBAC is not great for these use cases since it is linear to the amounts of principals. Current structure allows to define how to extract the value of the principal and only match it against a single matcher (StringMatch in our case).

I can see two possibilities for improvement:

  • Add a StringMatcher that validates that a string is included in a given set of strings, of course using a set data structure to avoid it being linear.
  • Probably think of a generic way for RBAC to extract values and validate inclusion in a set.

The first alternative would be restrictive to principal matchers that internally use StringMatcher, but other matchers could be left out, and it would probably be nice to support set lookup in other matchers too.

Guida contributor