Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: Optimize rego policy input allocations#6135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 8 commits intomainfromstevenmasley/rego_less_alloc
Feb 9, 2023

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedFeb 9, 2023
edited
Loading

Manually convert to ast.Value instead of using generic json.Marshal conversion.

Saves ~0.1ms from all users with roles + groups.

Tests

The testTestRegoInputValue ensures there is no difference in the optimized output to the prior json.Marshal method. So this PR is 100% safe! 🥳

Results

Input allocations

This is the benchmark of just the saved allocations on the inputs.

JSONRegoValue was the previous method.ManualRegoValue is new technique.

33% reduction in the number of bytes allocated for a rather complex rbac subject. Actual savings depends on the actor and things like the number of groups they are in.

cpu: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHzBenchmarkRBACValueAllocation/ManualRegoValue-8             27673             42994 ns/op           17721 B/op        559 allocs/opBenchmarkRBACValueAllocation/JSONRegoValue-8               10000            120974 ns/op           26494 B/op        700 allocs/op

Broader RBAC benchmark impact

Time savings are measurable! Not an order of magnitude, but it is faster.

Before

cpu: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHzBenchmarkRBACAuthorize/NoRoles-8            4432            304177 ns/op           81206 B/op       1582 allocs/opBenchmarkRBACAuthorize/Admin-8              1821            873503 ns/op          183445 B/op       3826 allocs/opBenchmarkRBACAuthorize/OrgAdmin-8                   1575            866685 ns/op          176617 B/op       3618 allocs/opBenchmarkRBACAuthorize/OrgMember-8                  2232            651818 ns/op          140718 B/op       2997 allocs/opBenchmarkRBACAuthorize/ManyRoles-8                  1226            997774 ns/op          235363 B/op       5074 allocs/opBenchmarkRBACAuthorize/AdminWithScope-8             1836            763182 ns/op          179983 B/op       3742 allocs/opBenchmarkRBACAuthorizeGroups/NoRolesGroupACL-8              3231            311936 ns/op           87965 B/op       1795 allocs/opBenchmarkRBACAuthorizeGroups/AdminGroupACL-8                1543            746852 ns/op          197525 B/op       4250 allocs/opBenchmarkRBACAuthorizeGroups/OrgAdminGroupACL-8             1681            931019 ns/op          192735 B/op       4086 allocs/opBenchmarkRBACAuthorizeGroups/OrgMemberGroupACL-8            1315            882409 ns/op          198334 B/op       4224 allocs/opBenchmarkRBACAuthorizeGroups/ManyRolesGroupACL-8            1310            932732 ns/op          252496 B/op       5366 allocs/opBenchmarkRBACAuthorizeGroups/AdminWithScopeGroupACL-8       1462            691538 ns/op          197576 B/op       4250 allocs/op

After

cpu: Intel(R) Core(TM) i7-6770HQ CPU @ 2.60GHzBenchmarkRBACAuthorize/NoRoles-8            3963            260746 ns/op           71624 B/op       1409 allocs/opBenchmarkRBACAuthorize/Admin-8              1783            635798 ns/op          160946 B/op       3416 allocs/opBenchmarkRBACAuthorize/OrgAdmin-8                   1828            632054 ns/op          155398 B/op       3245 allocs/opBenchmarkRBACAuthorize/OrgMember-8                  2478            508771 ns/op          117930 B/op       2587 allocs/opBenchmarkRBACAuthorize/ManyRoles-8                  1382            839324 ns/op          205169 B/op       4461 allocs/opBenchmarkRBACAuthorize/AdminWithScope-8             1947            602195 ns/op          157378 B/op       3330 allocs/opBenchmarkRBACAuthorizeGroups/NoRolesGroupACL-8              4207            250881 ns/op           74572 B/op       1519 allocs/opBenchmarkRBACAuthorizeGroups/AdminGroupACL-8                2049            599757 ns/op          170143 B/op       3693 allocs/opBenchmarkRBACAuthorizeGroups/OrgAdminGroupACL-8             1990            579503 ns/op          166293 B/op       3566 allocs/opBenchmarkRBACAuthorizeGroups/OrgMemberGroupACL-8            2359            589980 ns/op          170074 B/op       3667 allocs/opBenchmarkRBACAuthorizeGroups/ManyRolesGroupACL-8            1542            773863 ns/op          209250 B/op       4606 allocs/opBenchmarkRBACAuthorizeGroups/AdminWithScopeGroupACL-8       1330           1155050 ns/op          170152 B/op       3693 allocs/op

Future work

If we implementast.Value interface directly for our maps (eg roles), we can reduce a lot more allocations.

Manually convert to ast.Value instead of using genericjson.Marshal conversion.
The optimized input is always compared to the normal jsonmarshal parser.
@EmyrkEmyrk marked this pull request as ready for reviewFebruary 9, 2023 17:47
@EmyrkEmyrk requested a review fromjohnstcnFebruary 9, 2023 17:47
@EmyrkEmyrk changed the titlechore: Optimize rego policy evaluation allocationschore: Optimize rego policy input allocationsFeb 9, 2023
@@ -79,6 +80,8 @@ var (
Site: permissions(map[string][]Action{
ResourceWildcard.Type: {WildcardSymbol},
}),
Org: map[string][]Permission{},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

review: these had been breaking comparison due to comparing empty vs nil slice

Emyrk reacted with thumbs up emoji
Comment on lines +15 to +18
// Currently ast.Object.insert() is the slowest part of the process and allocates
// the most amount of bytes. This general approach copies all of our struct
// data and uses a lot of extra memory for handling things like sort order.
// A possible large improvement would be to implement the ast.Value interface directly.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

👍

@EmyrkEmyrk merged commitaf59e2b intomainFeb 9, 2023
@EmyrkEmyrk deleted the stevenmasley/rego_less_alloc branchFebruary 9, 2023 19:47
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsFeb 9, 2023
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@johnstcnjohnstcnjohnstcn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@Emyrk@johnstcn
[8]ページ先頭
©2009-2025 Movatter.jp