chore: Optimize parial rego execution byte allocations (#6144)

* chore: Implement benchmark for authorizer.Prepare Identify time + alloc cost before optimizing
2025-07-03 16:13:58 +00:00 · 2023-02-10 08:39:45 -06:00
parent ab9cba9396
commit 32fbd10a1f
5 changed files with 51 additions and 25 deletions
--- a/coderd/rbac/authz.go
+++ b/coderd/rbac/authz.go
@ -139,7 +139,8 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, a

 // RegoAuthorizer will use a prepared rego query for performing authorize()
 type RegoAuthorizer struct {
-	query rego.PreparedEvalQuery
+	query        rego.PreparedEvalQuery
+	partialQuery rego.PreparedPartialQuery

 	authorizeHist *prometheus.HistogramVec
 	prepareHist   prometheus.Histogram
@ -151,9 +152,10 @@ var (
 	// Load the policy from policy.rego in this directory.
 	//
 	//go:embed policy.rego
-	policy    string
-	queryOnce sync.Once
-	query     rego.PreparedEvalQuery
+	policy       string
+	queryOnce    sync.Once
+	query        rego.PreparedEvalQuery
+	partialQuery rego.PreparedPartialQuery
 )

 func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
@ -166,6 +168,21 @@ func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 		if err != nil {
 			panic(xerrors.Errorf("compile rego: %w", err))
 		}
+
+		partialQuery, err = rego.New(
+			rego.Unknowns([]string{
+				"input.object.id",
+				"input.object.owner",
+				"input.object.org_owner",
+				"input.object.acl_user_list",
+				"input.object.acl_group_list",
+			}),
+			rego.Query("data.authz.allow = true"),
+			rego.Module("policy.rego", policy),
+		).PrepareForPartial(context.Background())
+		if err != nil {
+			panic(xerrors.Errorf("compile partial rego: %w", err))
+		}
 	})

 	// Register metrics to prometheus.
@ -207,7 +224,8 @@ func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 	})

 	return &RegoAuthorizer{
-		query: query,
+		query:        query,
+		partialQuery: partialQuery,

 		authorizeHist: authorizeHistogram,
 		prepareHist:   prepareHistogram,
@ -289,7 +307,7 @@ func (a RegoAuthorizer) Prepare(ctx context.Context, subject Subject, action Act
 	)
 	defer span.End()

-	prepared, err := newPartialAuthorizer(ctx, subject, action, objectType)
+	prepared, err := a.newPartialAuthorizer(ctx, subject, action, objectType)
 	if err != nil {
 		return nil, xerrors.Errorf("new partial authorizer: %w", err)
 	}