Skip to content

Improve performance of check_rights - memoize? #404

New issue
New issue
Open
Open
Improve performance of check_rights - memoize?#404
Labels
performanceSpeed improvements
@joepio

Description

@joepio
joepio
opened on Apr 28, 2022

Authorization checks are one of the largest performance costs at this time for Atomic-Server. The performance is still really good, but I'm sure we can speed up many requests by a factor of two if we can improve rights checking.

The core issue is that rights checking involves recursively checking parents. This is not a particularly slow operation by itself, but deeply nested resources that derive their rights from top-level resources can spend most of their execution / fetch time checking rights because of this.

How can we speed this up?

Memoize check_rights

Basically, for a given resource + agent + right, we store (in memory) what the answer is.

Approaches:

  • We can create a DashMap or something similar that functions as a specific in-memory store. The Key represents subject+agent+right, the value is true or false plus maybe some timestamp for cache invalidation. We should have a Store wide setting for the amount of time that needs to pass, and set this to 0 for most of the authorization tests. Also, I think we should always check again if the answer is no to can user x do y. Otherwise, users may need to wait for x seconds (or minutes) before they get access to something. Yuck!
  • We use sled and do the same, but on disk. Might be a tad slower, although Sled also caches in memory
  • We invalidate on Commit. I would not like to write this - cache invalidation is hard.

Improve lookup time for specific values - skip the resource

See #402. Will be slower than memoizing the answer, but would probably be fast in many scenarios. However, I'm kind of concerned for cases where the rights resourceArrays become very large. Even if we implement #402, we'll still need to iterate over every single value in that array and check if the user is there.

Use the Value Index

The Value Index can be used to find incoming links. We could filter by Value (the agent) and Property (the right), and check if the resulting resources are in fact parents.

But how do we check if these are parents? That would still be just as costly, as we'd still need to iterate over every step.

Check Drive resources first

If we use subdomains for URLs, we can very quickly find the Drive resource and check if the user has write / read rights there. This will be the case for 99% of the situations.

Other ideas?

Let me know!

Metadata

Metadata

Assignees

No one assigned

    Labels

    performanceSpeed improvements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions