New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Performance issue in RBAC with pattern matching domains #1004
Comments
@tangyang9464 @closetool @sagilio |
@abichinger maybe you have a better idea about it. |
I think the problem is that the default role manager can't distinguish between pattern and plain strings. As a result the role manager will treat every string as a pattern, if a If we could identify patterns, then we would only have to iterate over a subset of all roles, instead of all of them, each time a user is added. (FastAC uses util.IMatcher to solve this) Nonetheless, this would not fix the performance issue of the example, because the example uses patterns only.
@silverspace do you really intend to only use patterns for |
For my actual use case I stopped using RBAC patterns entirely, since they were prohibitively expensive. I think that the Casbin project should consider dropping this feature entirely, or at the very least adding a huge caveat to the documentation that this could lead to major performance issues. I don't think that my example above is far fetched for a reasonable implementation of domain patterns, and I think it is reasonable to assume that the built in Thanks for the FastAC link! It doesn't look like they support pattern domains, but it does look like a clever approach of reducing the search space for the matching functions. |
[WeOpen Star]I would like to help |
This issue gave us so much headache for two days and finally we found out the culprit is the use of matchingDomainForGFunction and matchingForGFunction. We wanted to use pattern matching for domains but we eventually had to drop that due to the performance issues. Is there any plan to fix this problem? |
Describe the bug
When I modify the
BenchmarkRBACModelWithDomainPatternLarge
performance test to add a bunch of unrelated users and then try to fetch an unauthorized resource, I see an exponential number of calls to the domain matching functionutil.KeyMatch4
, resulting in exponentially bad performance related to the number of additional users.For context, I am trying to use a model.conf similar to this large scale performance test, but I am hitting massive performance issues when many different users with different domains are added.
To Reproduce
I've modified the existing
BenchmarkRBACModelWithDomainPatternLarge
benchmark test to first add 1000 unrelated users with different domains to the unrelated rolestaffOrgUser
. The result is that each of these users are being evaluated an exponential number of times when we try to run the enforcer.This results in an exponential number of calls to
util.KeyMatch4
(the domain matching function), exponentially related to the number of users added. (e.g. if I increase1000
to10000
, the benchmark never ends).Expected behavior
Without these additional 1000 users, the performance is:
The text was updated successfully, but these errors were encountered: