Auth: Fine-grained permission request cache #14513
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…parsing.
If `(Type).URL`, was called on non-project specific entities with a
project parameter it was being set on the URL. For example:
```
TypeServer.URL("default", "")
```
Returned the URL: `/1.0?project=default`.
This isn't what we want.
Additionally, the project query parameter was not being persisted on
`ParseURL` for operations or warnings.
Additional unit tests have been added to account for these cases.
Signed-off-by: Mark Laing <[email protected]>
…name. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
|
@markylaing thanks! Taking a look |
|
Closing in favour of #14557 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I was playing with some ideas to get some quick wins for performance in the fine-grained authorization driver.
The OpenFGADatastore receives very specific queries such as:
instance:/1.0/instances/c1?project=defaultascan_view?instanceare members of groupfoorelated to ascan_view?Each of these queries are executed case-by-case. This always hits the database, even if there are no permissions at all for entities of type
instance.This PR implements pre-loading of the
auth_groups_permissionstable to reduce the total number of database calls. Qualitatively, I've seen this reduce the total number of database calls when listing projects with recursion from 85 to 10.@gabrielmougard it might be worth comparing this with your work in #14476. We can test performance and try to make further optimisations so that loading the additional entitlements is low-cost.