Query evaluation taking more time when opa is used as envoy authorization filter

[PriyaKatkade]

I am running OPA as a authorization filter in envoy. I have written a simple RBAC policy. I have executed policy in REGO playground. Its taking microseconds to evaluate the policy. But if I provide same policy to OPA which is running as an authorization filter its taking milliseconds to evaluate the policy, so which is not effective for us.

Would you please tell me why this is happening?

[tsandall]

@PriyaKatkade it's tough to say without addition information like:

• How you've measured latency in the Envoy case? Are you looking at the metrics in the decision log? If not, please include a log snippet that shows a decision log record w/ metrics.
• Any environment settings like cpu/memory limits on the OPA container (if applicable)
• OPA version

[PriyaKatkade]

• I already have included log snippet. From decision log record metrics itself I have observed that its taking more time for query evaluation in Envoy case.

• Environment settings like cpu/memory limits are not provided.

• I am using "openpolicyagent/opa:0.10.7-envoy" this docker image.

[tsandall]

@PriyaKatkade please retest with the latest version: openpolicyagent/opa:0.22.0-istio.

[PriyaKatkade]

@tsandall Thank you.
I have tested with the latest version which you have suggested. But unfortunately its taking more time compare to old version openpolicyagent/opa:0.10.7-envoy".

According to decision metrics logs, "timer_server_handler_ns" is taking more time. Also "timer_rego_query_eval_ns" is sometime taking microseconds but lots of time its taking milliseconds.
Overall total decision time is less in old version and more in this latest version.

I have a simple policy:

package envoy.authz
default allow = false
allow {
true
}

For this policy its taking 2-3 milliseconds decision time. i didn't get why this is happening even though policy is very simple

[tsandall]

@PriyaKatkade sorry for the delayed response. Did you get this resolved? If a trivial policy like the one above is taking 2-3 milliseconds in your environment, that sounds like a hardware/environmental issue. For example, on my thinkpad, query evaluation of that trivial policy takes about 20 microseconds:

torin:~$ cat ~/x.rego
package envoy.authz

default allow = false

allow = true

torin:~$ opa bench -d x.rego 'data.envoy.authz.allow = x'
+-------------------------------------------+------------+
| samples                                   |      57595 |
| ns/op                                     |      21406 |
| B/op                                      |       6403 |
| allocs/op                                 |        102 |
| histogram_timer_rego_query_eval_ns_75%    |      14960 |
| histogram_timer_rego_query_eval_ns_90%    |      17262 |
| histogram_timer_rego_query_eval_ns_95%    |      18867 |
| histogram_timer_rego_query_eval_ns_99%    |      29992 |
| histogram_timer_rego_query_eval_ns_99.9%  |     306361 |
| histogram_timer_rego_query_eval_ns_99.99% |     307700 |
| histogram_timer_rego_query_eval_ns_count  |      57595 |
| histogram_timer_rego_query_eval_ns_max    |     307700 |
| histogram_timer_rego_query_eval_ns_mean   |      14295 |
| histogram_timer_rego_query_eval_ns_median |      13200 |
| histogram_timer_rego_query_eval_ns_min    |       7668 |
| histogram_timer_rego_query_eval_ns_stddev |      12437 |
+-------------------------------------------+------------+

[tsandall]

I'm going to close this issue because there hasn't been a response and it's unclear whether this was just an environmental issue. We can re-open if needed.