-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: support batch authorization requests #13
Comments
Yes, I think there should be an is_authorized signature that accepts a batch of requests. I don't know if the primary overhead is FFI, parsing, or something else yet, but the Cedar From some internal unit tests:
The time observed in Python is consistently 2 orders of magnitude greater than the authorizer.is_authorized call. As far as an actual batch impl goes, I think we should identify key use cases and see how the requests vary. I think there's a good chance we'll need to provide a way for people to provide a list of requests while keeping their policies and entities static. In my own access analysis use cases, we need build requests that vary actions (primarily) and resources (might be a nice to have). Another fun bit is that batching means you'll need to correlate the request in the input to the AuthzResult in the output. |
Craig Disselkoen (Cedar Team) suggested we may want to offer methods to load and return opaque I think this is potentially a really good idea based on my first encounter with larger sets of entities. However it really drove home that we really don't know how |
Implemented |
Merged initial Will keep this open until (at least) we adopt the batch API internally. That will help discover whether we need an explicit request-response correlation mechanism. |
When integrating |
While the vast majority of requests likely operate on a single resource and can be handled efficiently by the current implementation, depending on the permission model that an application has list operations may need to check authorization against multiple resources and it is inefficient to do a full Python-to-Rust roundtrip for each check.
This is a proposal to modify the
is_authorized
signature from:where
request
looks liketo take a list of resource entity IDs and return a list of
AuthzResult
.An alternative approach suggested by @skuenzli that would maintain backwards compatibility would be to create a new
is_batch_authorized
oris_authorized_batch
(inspired byis_authorized_partial
in the existing Cedar API) that takes a list of requests and returns a list of results. To reduce code duplication, internally both functions could call the same underlying Rust implementation. This alternative would also allow more flexibility for the caller to provide alternative principal / action / resource / context in each request. A potential downside of providing a batch of requests is that thecontext
content would need to be provided for each, possibly making the amount of data sent from Python to Rust much larger.With a naive implementation, the batch call in the test below is about 5x faster on my test machine and is able to perform a batch of 1000 authorization checks in ~134ms, compared to 688ms for 1000 individual calls. A brief test with more entities shows that the performance improvement only gets better.
1000 calls / 1 resource
1 call / 1000 resources
Naive test script
The text was updated successfully, but these errors were encountered: