Skip to content

[Question] Performance issue with wildcard rbac, is there a better way to do this? #385

New issue
New issue
Open
Open
[Question] Performance issue with wildcard rbac, is there a better way to do this?#385
Assignees
hsluoyz
Labels
questionFurther information is requested
@jjh-reciprocity

Description

@jjh-reciprocity
jjh-reciprocity
opened on Sep 7, 2022

Want to prioritize this issue? Try:

issuehunt-to-marktext

What's your scenario? What do you want to achieve?

I want to find a better way to implement this setup, as performance is really really bad as is.

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && r.act == p.act

Your policy:

p | ["program-manager-438", "/program/438", "delete"]
p | ["program-manager-438", "/program/438", "read_mappings"]
p | ["program-manager-438", "/audit/438/:auditId", "create"]
p | ["program-manager-438", "/audit/438/:auditId", "delete_attachment"]
p | ["program-manager-438", "/audit/438/:auditId", "Treatment.Completed"]
p | ["program-manager-438", "/audit/438/:auditId", "Archived.Completed"]
p | ["program-manager-438", "/vendor/438/:vendorId", "upload_attachment"]
p | ["program-manager-438", "/requirement/438/:frameworkOrAuditId/:requirementId", "download_attachment"]
p | ["program-manager-438", "/requirement/438/:frameworkOrAuditId/:requirementId", "Draft.In-scope"]
p | ["program-manager-438", "/assessment/438/:auditId/:assessmentId", "delete_mappings"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "read"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "read_mappings"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "Archived.Draft"]
p | ["program-manager-438", "/finding/438/:auditId/:assessmentId/:findingId", "delete"]

g | john, program-manager-438

Your request(s):

john, finding/438/33/44/3, read ---> true

Essentially the goal is to have roles that have wildcard rules like this. But also roles that are more specific that use exact ids instead. This works with the implementation above, but has atrocious performance.

Currently, if you have around 40000 rules, this takes ~500ms to check 10 permissions, and ~1000ms to check 20 permissions...that makes me think that the enforcer is checking them synchronously?

FYI: My setup is nodejs with postgres adapter.

Metadata

Metadata

Assignees

Labels

questionFurther information is requested

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions