-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve performance of ListResources
#23534
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: the old CombineLabels
strategy would perform the combination s.t. command labels took precedence over static labels (i.e. if a command label and a static label exist for the same key, only the command label would be observed). As implemented, these GetLabel
methods are giving precedence to static labels. I actually prefer this strategy, but it would technically be a breaking change in RBAC behavior, so probably best to change it.
64cf613
to
ec0860c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work, awesome to see benchmarks being used to ensure improvements are worthwhile.
fc4dc2b
to
623322a
Compare
BenchmarkListNodes is twice as slow when RBAC logging is enabled. By switching RBAC logging from debug to trace we can eliminate the performance hit while still providing a way for users to opt in to the behavior if they need to debug RBAC.
Profiles of the benchmark test revealed that the `regexp.Compile` done within `utils.matchString` was the most cpu and memory intensive portion of the tests. By leveraging a `lru.Cache` to intern the compiled regular expressions we get quite a performance improvement.
Increases the request limit prior to loading the resources from the cache so that we load enough items in a single page to determine the start key of the next page.
Unmarshal directly to a `types.ServerV2` instead of first creating a `types.ResourceHeader` to inspect the version. There is only a single version for `types.ServerV2` making the check unnecessary.
`GetAllLabels` can be overkill if one simply needs to look up the value for a particular label. It creates a new `map[string]string` and copies all of a resources existing labels. RBAC decisions driven by labels incurred the penalty of the copy each time access was checked. The impact of the copy is much more noticeable when a resource has several labels or really long strings in the key or value. By leveraging `GetLabel` RBAC can avoid copying the labels altogether and simply lookup each label key when required.
623322a
to
7f74697
Compare
* Add benchmark for ListNodes * Move RBAC logging to trace level BenchmarkListNodes is twice as slow when RBAC logging is enabled. By switching RBAC logging from debug to trace we can eliminate the performance hit while still providing a way for users to opt in to the behavior if they need to debug RBAC. * Intern compiled regular expressions Profiles of the benchmark test revealed that the `regexp.Compile` done within `utils.matchString` was the most cpu and memory intensive portion of the tests. By leveraging a `lru.Cache` to intern the compiled regular expressions we get quite a performance improvement. * Only fetch a single page of resources Increases the request limit prior to loading the resources from the cache so that we load enough items in a single page to determine the start key of the next page. * Remove version checking from `services.UnmarshalServer` Unmarshal directly to a `types.ServerV2` instead of first creating a `types.ResourceHeader` to inspect the version. There is only a single version for `types.ServerV2` making the check unnecessary. * Add `GetLabel` to `types.ResourceWithLables` `GetAllLabels` can be overkill if one simply needs to look up the value for a particular label. It creates a new `map[string]string` and copies all of a resources existing labels. RBAC decisions driven by labels incurred the penalty of the copy each time access was checked. The impact of the copy is much more noticeable when a resource has several labels or really long strings in the key or value. By leveraging `GetLabel` RBAC can avoid copying the labels altogether and simply lookup each label key when required.
* Add benchmark for ListNodes * Move RBAC logging to trace level BenchmarkListNodes is twice as slow when RBAC logging is enabled. By switching RBAC logging from debug to trace we can eliminate the performance hit while still providing a way for users to opt in to the behavior if they need to debug RBAC. * Intern compiled regular expressions Profiles of the benchmark test revealed that the `regexp.Compile` done within `utils.matchString` was the most cpu and memory intensive portion of the tests. By leveraging a `lru.Cache` to intern the compiled regular expressions we get quite a performance improvement. * Only fetch a single page of resources Increases the request limit prior to loading the resources from the cache so that we load enough items in a single page to determine the start key of the next page. * Remove version checking from `services.UnmarshalServer` Unmarshal directly to a `types.ServerV2` instead of first creating a `types.ResourceHeader` to inspect the version. There is only a single version for `types.ServerV2` making the check unnecessary. * Add `GetLabel` to `types.ResourceWithLables` `GetAllLabels` can be overkill if one simply needs to look up the value for a particular label. It creates a new `map[string]string` and copies all of a resources existing labels. RBAC decisions driven by labels incurred the penalty of the copy each time access was checked. The impact of the copy is much more noticeable when a resource has several labels or really long strings in the key or value. By leveraging `GetLabel` RBAC can avoid copying the labels altogether and simply lookup each label key when required.
* Add benchmark for ListNodes * Move RBAC logging to trace level BenchmarkListNodes is twice as slow when RBAC logging is enabled. By switching RBAC logging from debug to trace we can eliminate the performance hit while still providing a way for users to opt in to the behavior if they need to debug RBAC. * Intern compiled regular expressions Profiles of the benchmark test revealed that the `regexp.Compile` done within `utils.matchString` was the most cpu and memory intensive portion of the tests. By leveraging a `lru.Cache` to intern the compiled regular expressions we get quite a performance improvement. * Only fetch a single page of resources Increases the request limit prior to loading the resources from the cache so that we load enough items in a single page to determine the start key of the next page. * Remove version checking from `services.UnmarshalServer` Unmarshal directly to a `types.ServerV2` instead of first creating a `types.ResourceHeader` to inspect the version. There is only a single version for `types.ServerV2` making the check unnecessary. * Add `GetLabel` to `types.ResourceWithLables` `GetAllLabels` can be overkill if one simply needs to look up the value for a particular label. It creates a new `map[string]string` and copies all of a resources existing labels. RBAC decisions driven by labels incurred the penalty of the copy each time access was checked. The impact of the copy is much more noticeable when a resource has several labels or really long strings in the key or value. By leveraging `GetLabel` RBAC can avoid copying the labels altogether and simply lookup each label key when required.
* Add benchmark for ListNodes * Move RBAC logging to trace level BenchmarkListNodes is twice as slow when RBAC logging is enabled. By switching RBAC logging from debug to trace we can eliminate the performance hit while still providing a way for users to opt in to the behavior if they need to debug RBAC. * Intern compiled regular expressions Profiles of the benchmark test revealed that the `regexp.Compile` done within `utils.matchString` was the most cpu and memory intensive portion of the tests. By leveraging a `lru.Cache` to intern the compiled regular expressions we get quite a performance improvement. * Only fetch a single page of resources Increases the request limit prior to loading the resources from the cache so that we load enough items in a single page to determine the start key of the next page. * Remove version checking from `services.UnmarshalServer` Unmarshal directly to a `types.ServerV2` instead of first creating a `types.ResourceHeader` to inspect the version. There is only a single version for `types.ServerV2` making the check unnecessary. * Add `GetLabel` to `types.ResourceWithLables` `GetAllLabels` can be overkill if one simply needs to look up the value for a particular label. It creates a new `map[string]string` and copies all of a resources existing labels. RBAC decisions driven by labels incurred the penalty of the copy each time access was checked. The impact of the copy is much more noticeable when a resource has several labels or really long strings in the key or value. By leveraging `GetLabel` RBAC can avoid copying the labels altogether and simply lookup each label key when required.
* Add benchmark for ListNodes * Move RBAC logging to trace level BenchmarkListNodes is twice as slow when RBAC logging is enabled. By switching RBAC logging from debug to trace we can eliminate the performance hit while still providing a way for users to opt in to the behavior if they need to debug RBAC. * Intern compiled regular expressions Profiles of the benchmark test revealed that the `regexp.Compile` done within `utils.matchString` was the most cpu and memory intensive portion of the tests. By leveraging a `lru.Cache` to intern the compiled regular expressions we get quite a performance improvement. * Only fetch a single page of resources Increases the request limit prior to loading the resources from the cache so that we load enough items in a single page to determine the start key of the next page. * Remove version checking from `services.UnmarshalServer` Unmarshal directly to a `types.ServerV2` instead of first creating a `types.ResourceHeader` to inspect the version. There is only a single version for `types.ServerV2` making the check unnecessary. * Add `GetLabel` to `types.ResourceWithLables` `GetAllLabels` can be overkill if one simply needs to look up the value for a particular label. It creates a new `map[string]string` and copies all of a resources existing labels. RBAC decisions driven by labels incurred the penalty of the copy each time access was checked. The impact of the copy is much more noticeable when a resource has several labels or really long strings in the key or value. By leveraging `GetLabel` RBAC can avoid copying the labels altogether and simply lookup each label key when required.
* Add benchmark for ListNodes * Move RBAC logging to trace level BenchmarkListNodes is twice as slow when RBAC logging is enabled. By switching RBAC logging from debug to trace we can eliminate the performance hit while still providing a way for users to opt in to the behavior if they need to debug RBAC. * Intern compiled regular expressions Profiles of the benchmark test revealed that the `regexp.Compile` done within `utils.matchString` was the most cpu and memory intensive portion of the tests. By leveraging a `lru.Cache` to intern the compiled regular expressions we get quite a performance improvement. * Only fetch a single page of resources Increases the request limit prior to loading the resources from the cache so that we load enough items in a single page to determine the start key of the next page. * Remove version checking from `services.UnmarshalServer` Unmarshal directly to a `types.ServerV2` instead of first creating a `types.ResourceHeader` to inspect the version. There is only a single version for `types.ServerV2` making the check unnecessary. * Add `GetLabel` to `types.ResourceWithLables` `GetAllLabels` can be overkill if one simply needs to look up the value for a particular label. It creates a new `map[string]string` and copies all of a resources existing labels. RBAC decisions driven by labels incurred the penalty of the copy each time access was checked. The impact of the copy is much more noticeable when a resource has several labels or really long strings in the key or value. By leveraging `GetLabel` RBAC can avoid copying the labels altogether and simply lookup each label key when required.
Reduces latency of
proto.AuthService/ListResources
in a variety of ways:*regexp.Regexp
in a LRU cache so that they can be reused during RBACGetLabel(key string) (value string, ok bool)
totypes.ResourcesWithLabels
to prevent copying the entire label set when we just need to look up keysauth.ServerWithRoles.ListResources
services.UnmarshalServer
to unmarshal directly into atypes.ServerV2
instead of first into atypes.ResourceHeader
to check that the version istypes.V2
Comparison of
BenchmarkListNodes
from b1715a5 to ec0860c: