Comments (3)
I have noticed general slowness on my (i assume) similarly-spec'd macbook air: generating the samples for the test suite was sufficient to hit the default timeout. I did not have this specific issues on my other computers.
That being said, the example you provided does take a lot more time that simpler programs:
M1 macbook: ~100ms
Lenovo X1 carbon (Core i5-7200 @ 2.50 GHz, 8GB RAM): ~140ms
Custom rig (AMD Ryzen 9 5900X 12 cores, 32GB RAM): ~80ms
from biscuit-rust.
Profiling the datalog engine would be good anyway now that third party blocks have landed.
In this specific example, the use of regexes might be a part of the problem (but profiling the engine will be important anyway)
from biscuit-rust.
generating the samples hits the timeout on my machine too, if compiled in debug mode. In release mode it's fast enough.
Running with this code:
use biscuit_auth::Authorizer;
fn main() {
let code = r#"
entity("entity:justine");
organization_parent("mof", "mof:tax", false, false);
[...]
allow if true;"#;
let mut authorizer = Authorizer::new();
authorizer.add_code(code).unwrap();
let res = authorizer.authorize();
println!("authorizer world:\n{}", authorizer.print_world());
println!("authorizer result: {:?}", res);
loop {
let mut authorizer = Authorizer::new();
authorizer.add_code(code).unwrap();
let _ = authorizer.authorize();
}
}
It's pretty apparent that compiling the regex is taking the most time (18ms to create the authorizer and run it on my machine in release mode).
with rules like
policy($child_id, $child, $child_resource, $child_action, "allow") <-
organization_parent($parent, $child, $propagate_allow, $propagate_deny),
policy($parent_id, $parent, $parent_resource, $parent_action, "allow"),
raw_policy($child_id, $child, $child_resource, $child_action, "allow"),
$child_resource.matches("^" + $parent_resource + "(\\w|:)*"),
$child_action.matches("^" + $parent_action + "(\\w|:)*");
this would create a regex for each different value in $parent_resource
and $parent_action
. The state machines are supposed to be memoized, but maybe that's too much here. It looks like you're trying to do 2 things here:
- checking for a prefix, which can be done with
$child_resource.starts_with($parent_resource)
- checking that the format matches
(\\w|:)*
, which can be done with `$child_resource.matches("^(\w|:)*$ ")
With rules written like this:
policy($child_id, $child, $child_resource, $child_action, "allow") <-
organization_parent($parent, $child, $propagate_allow, $propagate_deny),
policy($parent_id, $parent, $parent_resource, $parent_action, "allow"),
raw_policy($child_id, $child, $child_resource, $child_action, "allow"),
$child_resource.starts_with($parent_resource),
$child_action.starts_with($parent_action),
$child_resource.matches("^(\\w|:)*$"),
$child_action.matches("^(\\w|:)*$");
To avoid recompiling the regex
It now runs in 5ms (still in release mode).
Now it's a bit wasteful to execute the regex on each combination, we could apply it only once per relevant fact, like this:
check all raw_policy($child_id, $child, $child_resource, $child_action, "allow"),
$child_resource.matches("^(\\w|:)*$"),
$child_action.matches("^(\\w|:)*$");
and remove it from other rules. Unfortunately, now the runtime shots up to 20ms, so there's something wrong we have to look at here. In the meantime, maybe the format of the members in raw_policy
and operation
could be checked outside? It does not look critical to policy execution, and without them execution runs under a millisecond
from biscuit-rust.
Related Issues (20)
- Parsing chained method calls HOT 1
- Datalog boolean expression == does not evaluate properly HOT 3
- boolean logic should be lazy
- samples validation failure HOT 3
- Make biscuit-auth token::RootKeyProviter public HOT 3
- use separate version git tags for the different crates
- Detect free variables in expressions
- `RUSTSEC-2022-0093` security advisory
- Support heterogeneous sets
- `query_exactly_one()`
- Can't query facts added with authorizer_merge! HOT 2
- Non-deterministic output of `Authorizer.dump_code()` HOT 1
- Hidden state in `Authorizer` HOT 1
- Merging block builders with scope annotations
- Consider adding `impl TryFrom<Fact> for String` HOT 1
- Create new release HOT 1
- Proposal: Use padding free Base64 encoding/decoding HOT 4
- Proposal: add generic interface for external key registries HOT 2
- Cleanup free variables detection HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from biscuit-rust.