- Notifications
You must be signed in to change notification settings - Fork927
chore: improve rbac and add benchmark tooling#18584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Conversation
ca7deed toc1fe8e3Comparec1fe8e3 to29222a1CompareUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Wow! Thanks for all of the work you put into this!
Out of curiousity, I wonder if your changes to the policy had any measurable benchmark difference? I would assume that it remains basically the same, but it could be interesting to see the benchmark results now that we have the tools 😁
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Thank you! 🫶 I had some of these things stashed and thought they would be a good addition for future reference.
I was a bit worried about breaking something 😅 so I ran the tests yesterday, it was slightly better, but nothing significantly different:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This is all excellent!
| bool_flip(b) :=flipped if { | ||
| bool_flip(b) :=false if { | ||
| b | ||
| flipped = false | ||
| } | ||
| bool_flip(b) :=flipped if { | ||
| bool_flip(b) :=true if { | ||
| not b | ||
| flipped = true | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Very nice 👍
| number(set) := c if { | ||
| # Return -1 if the set contains any 'false' value (i.e., an explicit deny) | ||
| number(set) := -1 if { | ||
| false in set | ||
| c := -1 | ||
| } | ||
| number(set) := c if { | ||
| # Return 0 if the set is empty (no matching permissions) | ||
| number(set) := 0 if { | ||
| count(set) == 0 | ||
| } | ||
| # Return 1 if the set is non-empty and contains no 'false' values (i.e., only allows) | ||
| number(set) := 1 if { | ||
| not false in set | ||
| set[_] | ||
| c := 1 | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
👍
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
coderd/rbac/scripts/gen_input.go Outdated
| // TODO: support arguments for subject, action and object | ||
| funcmain() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
totally fine to start with this 👍
3cb9b20 intomainUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Description
This PR improves the RBAC package by refactoring the policy, enhancing documentation, and adding utility scripts.
Changes
policy.regofor clarity and readabilitybenchmark_authz.shscript for authz performance testing and comparisongen_input.goto generate input foropa evaltesting