I think it makes sense to separate thePrepareOnly benchmarks into a dedicated test (e.g.,BenchmarkRBACPrepare). TheFilter method already callsPrepare, so it will always have a longer execution time than justPrepare. Mixing both leads to benchstat averages that can be misleading. See for example the benchstat results from the policy update PR:

That sounds reasonable to me!

That is fine with me 👍

Ideally theFilter benchmark would omit the time used duringPrepare? Then the total time is the combination of the benchmarks.

Regardless, feel free to make that refactor 👍

I added this script in therbac folder, but wondering if it might make more sense to move it under the main scripts directory instead, maybe something likescripts/rbac to keep things consistent. Wdyt? 🤔

I think you can throw it under./scripts, you might also want to look into some of our other scripts in there, especially the helpers inlib.sh.

I also note that you have to be in the `coderd/rbac folder to run this right now.

Yea, you can throw it under/scripts 👍

This is awesome btw ❤️

I used this script to test the policy update changes by generating a replica of the template admin role. It was helpful for local testing, but let me know what you think. It could use some refactoring to support different roles, actions, and object types.
Also, similar tobenchmark_authz.sh, maybe it makes sense to move it to the mainscripts directory.

This is cool! I think we could probably usecoderdtest /dbgen to spin up a set of subjects and objects for testing.

There is of course the matter of combinatorial explosion so we'd want to be careful about how many we add here, otherwise running this benchmark will take forever.

Just a note: this script isn’t for benchmarking. It’s meant to generate aninput.json file to use with theopa eval command. This helps verify that the policy returns the correct output, we already have a default file:https://github.com/coder/coder/blob/main/coderd/rbac/input.json

This was especially useful for testing the template admin that has many roles, since updating the JSON file manually was a bit slow 😅

I would also like to add (optional) arguments like--action=[one from the available actions],--subject=[built-in roles], and--object=[one from the supported resources] to make it more flexible.

I’ll also add a small comment at the beginning of the file to explain this.

@ssncferreira I've had similar looking programs to do exactly the same. I'd create a./scripts/rbactest or something and toss the bash script and this in there.

Throw this in, and we can iterate as we revisit this stuff. There are other go programs that I iterate on each time I use them. This is great 👍

That sounds reasonable to me!

nit: indentation

Also, we could probably infer the--single argument if omitted.

I think you can throw it under./scripts, you might also want to look into some of our other scripts in there, especially the helpers inlib.sh.

I also note that you have to be in the `coderd/rbac folder to run this right now.

This is cool! I think we could probably usecoderdtest /dbgen to spin up a set of subjects and objects for testing.

There is of course the matter of combinatorial explosion so we'd want to be careful about how many we add here, otherwise running this benchmark will take forever.

Nice work commenting and refactoring!

Very nice 👍

👍

Yea, you can throw it under/scripts 👍

This is awesome btw ❤️

@ssncferreira I've had similar looking programs to do exactly the same. I'd create a./scripts/rbactest or something and toss the bash script and this in there.

Throw this in, and we can iterate as we revisit this stuff. There are other go programs that I iterate on each time I use them. This is great 👍

totally fine to start with this 👍