envoyproxy/envoy

rbac: principals evaluation performance

Open

#12.285 aberto em 24 de jul. de 2020

Ver no GitHub
 (8 comments) (0 reactions) (0 assignees)C++ (5.373 forks)batch import
area/perfarea/rbachelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

We want to evaluate RBAC policies and we have 1.3k "principals", users we want to allow, extracted nowadays via jwt_authn metadata, and these users can vary form endpoints allowed. The actual performance of RBAC is not great for these use cases since it is linear to the amounts of principals. Current structure allows to define how to extract the value of the principal and only match it against a single matcher (StringMatch in our case).

I can see two possibilities for improvement:

  • Add a StringMatcher that validates that a string is included in a given set of strings, of course using a set data structure to avoid it being linear.
  • Probably think of a generic way for RBAC to extract values and validate inclusion in a set.

The first alternative would be restrictive to principal matchers that internally use StringMatcher, but other matchers could be left out, and it would probably be nice to support set lookup in other matchers too.

Guia do colaborador