chore: improve rbac and add benchmark tooling #18584
Conversation
ca7deed to
c1fe8e3
Compare
c1fe8e3 to
29222a1
Compare
There was a problem hiding this comment.
Wow! Thanks for all of the work you put into this!
Out of curiousity, I wonder if your changes to the policy had any measurable benchmark difference? I would assume that it remains basically the same, but it could be interesting to see the benchmark results now that we have the tools 😁
Thank you! 🫶 I had some of these things stashed and thought they would be a good addition for future reference.
I was a bit worried about breaking something 😅 so I ran the tests yesterday, it was slightly better, but nothing significantly different:
|
| bool_flip(b) := flipped if { | ||
| bool_flip(b) := false if { | ||
| b | ||
| flipped = false | ||
| } | ||
|
|
||
| bool_flip(b) := flipped if { | ||
| bool_flip(b) := true if { | ||
| not b | ||
| flipped = true | ||
| } |
| number(set) := c if { | ||
| # Return -1 if the set contains any 'false' value (i.e., an explicit deny) | ||
| number(set) := -1 if { | ||
| false in set | ||
| c := -1 | ||
| } | ||
|
|
||
| number(set) := c if { | ||
| # Return 0 if the set is empty (no matching permissions) | ||
| number(set) := 0 if { | ||
| count(set) == 0 | ||
| } | ||
|
|
||
| # Return 1 if the set is non-empty and contains no 'false' values (i.e., only allows) | ||
| number(set) := 1 if { | ||
| not false in set | ||
| set[_] | ||
| c := 1 | ||
| } |
coderd/rbac/scripts/gen_input.go
Outdated
| // TODO: support arguments for subject, action and object | ||
| func main() { |
There was a problem hiding this comment.
totally fine to start with this 👍
Description
This PR improves the RBAC package by refactoring the policy, enhancing documentation, and adding utility scripts.
Changes
policy.regofor clarity and readabilitybenchmark_authz.shscript for authz performance testing and comparisongen_input.goto generate input foropa evaltesting