feat: Turn on rbac check caching (#6202)

* chore: Turn on rbac check caching. Should not affect much unless authz_querier experiment is enabled
2025-07-15 22:20:27 +00:00 · 2023-02-15 08:56:07 -06:00
parent fac7c02eeb
commit 4cbbd1376d
9 changed files with 61 additions and 9 deletions
--- a/coderd/rbac/cache_test.go
+++ b/coderd/rbac/cache_test.go
@ -2,6 +2,7 @@ package rbac_test

 import (
 	"context"
+	"fmt"
 	"testing"

 	"github.com/stretchr/testify/require"
@ -10,6 +11,33 @@ import (
 	"github.com/coder/coder/coderd/rbac"
 )

+// BenchmarkCacher benchmarks the performance of the cacher with a given
+// cache size. The expected cache size in prod will usually be 1-2. In Filter
+// cases it can get as high as 10.
+func BenchmarkCacher(b *testing.B) {
+	b.ResetTimer()
+	// Size of the cache.
+	sizes := []int{1, 10, 100, 1000}
+	for _, size := range sizes {
+		b.Run(fmt.Sprintf("Size%d", size), func(b *testing.B) {
+			ctx := rbac.WithCacheCtx(context.Background())
+			authz := rbac.Cacher(&coderdtest.FakeAuthorizer{AlwaysReturn: nil})
+			for i := 0; i < size; i++ {
+				// Preload the cache of a given size
+				subj, obj, action := coderdtest.RandomRBACSubject(), coderdtest.RandomRBACObject(), coderdtest.RandomRBACAction()
+				_ = authz.Authorize(ctx, subj, action, obj)
+			}
+
+			// Cache is loaded as a slice, so this cache hit is always the last element.
+			subj, obj, action := coderdtest.RandomRBACSubject(), coderdtest.RandomRBACObject(), coderdtest.RandomRBACAction()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				_ = authz.Authorize(ctx, subj, action, obj)
+			}
+		})
+	}
+}
+
 func TestCacher(t *testing.T) {
 	t.Parallel()