Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPA: Allow prepare query optimisation via partial evaluation #3277

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

mjungsbluth
Copy link
Collaborator

@mjungsbluth mjungsbluth commented Oct 16, 2024

This adds a command line flag that enables an optimisation of OPA policies before they are evaluated in the respective filters. This preparation optimises the policies for cpu at the expense of using more memory and uses a core OPA feature.

Missing:

  • Wait for upstream PR to merged
  • Benchmarks on a medium complex policy (cpu vs memory)

@Pushpalanka Pushpalanka force-pushed the opa_partial_evaluation_optimisation branch from 0cee1c3 to d4dcf59 Compare December 6, 2024 13:03
@Pushpalanka Pushpalanka added the major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs label Dec 6, 2024
@Pushpalanka Pushpalanka force-pushed the opa_partial_evaluation_optimisation branch from d4dcf59 to a691b2e Compare December 6, 2024 13:17
@Pushpalanka Pushpalanka force-pushed the opa_partial_evaluation_optimisation branch from 58ec5ef to 8f8cd77 Compare December 6, 2024 22:12
@Pushpalanka Pushpalanka force-pushed the opa_partial_evaluation_optimisation branch from 8f8cd77 to 02588ce Compare December 8, 2024 22:05
@Pushpalanka
Copy link
Collaborator

Pushpalanka commented Dec 8, 2024

Benchmark results on commit 02588ce

Observation:
For the exact pure JWT validation policy could see a slight improvement with pre-evaluation against without it.
But this policy in current commit with additional data.json involved rules, optimization was negatively affecting CPU performance (if the flag usage correctly understood).

Carried out with authorize-request-jwt-validation-with-pre-evaluation benchmark test, setting the pre-evaluation flag true vs false.
goos: darwin
goarch: arm64
cpu: Apple M1

With pre-evaluation

-memprofile pre-eval-true-mem5.prof
195        5868242 ns/op        2657280 B/op         40073 allocs/op
3.592s

-cpuprofile pre-eval-true5.prof
199        5845913 ns/op        2654548 B/op        40012 allocs/op
3.302s

With pre-evaluation flag false

-memprofile pre-eval-false-mem5.prof
9117        125310 ns/op        77774 B/op        1299 allocs/op
3.090s

-cpuprofile pre-eval-false5.prof
9334        121684 ns/op        77735 B/op        1299 allocs/op
3.054s

Memory

Without pre-evaluation
image

With pre-evaluation
image

CPU

Without pre evaluation
image

With pre-evaluation
image

Profiles attached.
pre-eval-false-cpu.txt
pre-eval-true-cpu.txt
pre-eval-true-mem.txt
pre-eval-false-mem.txt

May be a test using a much larger data source via a bundle would provide more insights.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants