Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Performance issue with wildcard rbac, is there a better way to do this? #385

Open
jjh-reciprocity opened this issue Sep 7, 2022 · 4 comments
Open

[Question] Performance issue with wildcard rbac, is there a better way to do this? #385

jjh-reciprocity opened this issue Sep 7, 2022 · 4 comments
Assignees
@hsluoyz
Labels
question Further information is requested

Comments

@jjh-reciprocity
Copy link

Want to prioritize this issue? Try:

issuehunt-to-marktext

What's your scenario? What do you want to achieve?

I want to find a better way to implement this setup, as performance is really really bad as is.

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && r.act == p.act

Your policy:

p | ["program-manager-438", "/program/438", "delete"]
p | ["program-manager-438", "/program/438", "read_mappings"]
p | ["program-manager-438", "/audit/438/:auditId", "create"]
p | ["program-manager-438", "/audit/438/:auditId", "delete_attachment"]
p | ["program-manager-438", "/audit/438/:auditId", "Treatment.Completed"]
p | ["program-manager-438", "/audit/438/:auditId", "Archived.Completed"]
p | ["program-manager-438", "/vendor/438/:vendorId", "upload_attachment"]
p | ["program-manager-438", "/requirement/438/:frameworkOrAuditId/:requirementId", "download_attachment"]
p | ["program-manager-438", "/requirement/438/:frameworkOrAuditId/:requirementId", "Draft.In-scope"]
p | ["program-manager-438", "/assessment/438/:auditId/:assessmentId", "delete_mappings"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "read"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "read_mappings"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "Archived.Draft"]
p | ["program-manager-438", "/finding/438/:auditId/:assessmentId/:findingId", "delete"]

g | john, program-manager-438

Your request(s):

john, finding/438/33/44/3, read ---> true

Essentially the goal is to have roles that have wildcard rules like this. But also roles that are more specific that use exact ids instead. This works with the implementation above, but has atrocious performance.

Currently, if you have around 40000 rules, this takes ~500ms to check 10 permissions, and ~1000ms to check 20 permissions...that makes me think that the enforcer is checking them synchronously?

FYI: My setup is nodejs with postgres adapter.
@jjh-reciprocity jjh-reciprocity added the question Further information is requested label Sep 7, 2022
@casbin-bot
Copy link
Member

@tangyang9464 @JalinWang

@hsluoyz hsluoyz transferred this issue from casbin/casbin Sep 8, 2022
@casbin-bot
Copy link
Member

@nodece @Zxilly @Shivansh-yadav13

@hsluoyz
Copy link
Member

hsluoyz commented Sep 8, 2022

@jjh-reciprocity see benchmark: https://casbin.io/docs/benchmark . I think it's reasonable to have 50ms time overhead for 40000 rules

You can try performance optimization: https://casbin.io/docs/performance

@jjh-reciprocity
Copy link
Author

Shouldn't the checks be able to be done concurrently though? Why does it have to do one enforcement at a time?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hsluoyz @casbin-bot @jjh-reciprocity