[Feature] GetImplicitPermissionsForUser optimize 99% latency by avoid using roleManager.hasLinkHelper

[csdz]

model description

pType 'p'

In my rbac policy, ptype 'p' may have same v0 (policyid) among different rules，such as:

--- definition
ptype, policy_id, resource_id, action, effect, condition, tenant (about 13000rules)
--- rules preview
p,p1,*,*,allow,{},o0
p,p2,*,account:*,allow,{},o0
p,p2,*,platform:*,allow,{},o0

pType 'g'

and g ptype has simple model that is:

--- defnition
user_id, policy_id, tenant_id (about 30000 rules)
user_id, group_id, tenant_id (about 1000 rules)
group_id, policy_id, tenant_id (about 5000 rules)
---
g,u123,p1,o0
g,u123,g1,o0
g,g1,p2,o0

matchers

matchers definition is:

m = regexMatch(r.obj, p.obj) && \
regexMatch(r.act, p.act) && \
matchFunc(r.cond, p.cond) && \
g(r.sub, p.sub, r.dom)

performance analyze

called GetImplicitPermissionsForUser takes about 15-20 seconds, and got pprof cpu profile as belows. 80% of time cost is calling function roleManager.hasLinkHelper len(model["p"]["p"].Policy) times:

desired solution

GetImplicitPermissionsForUser can fetch policy-role, whose role is relate to policy_id, by GetImplicitRolesForUser firstly, then collect policies which matches policy-role in for-loop. It's would optimize 99% latency of function GetImplicitPermissionsForUser.

[casbin-bot]

@tangyang9464 @JalinWang