ext_authz cache #37953
ext_authz cache #37953
Conversation
|
Hi @naoitoi-v, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
Some early feedback:
|
|
A drive-by suggestion: it may be beneficial to generalize the caching for both ext_authz and ext_proc. |
|
Related to what Adi said, I think you need to cache the response message and replay it on each request. It may add or remove headers, etc. Just looking at the status code is insufficient. |
|
Thank you for your early and insightful feedback, @ggreenway, @adisuissa.
Great point! In our (Verkada's) use case, it's important to keep the memory footprint as small as possible. We expect few evictions. We'll change this implementation to random eviction. In the future, there may be users who want more sophisficated eviction policies (e.g., LRU, random sampling-based LRU). We'll restructure the code so that one can provide different cache implementation.
Good point. For now we'll make it to look at only one header. Our use case may require it to look at multiple headers for leagacy reasons. If we have to go that route, we'll use header + auth token as a cache key, so we wouldn't mix auth tokens from multiple headers.
Yes, we started this effort. Fixing things pointed out by //tools/code_format:check_format and //tools/code:check .
This makes sense. We'll try it.
This makes sense. In our use case, we'd only need the status code. It's important to minimize the memory footprint. We'll write the code to store and replay the response messages and all the headers. We'll make this configurable so that the user can decide to store response & headers, or not. ** Thanks for the great discussion, again. We'll keep you updated on the progress. Nao |
Signed-off-by: Nao Itoi <[email protected]>
|
I took care of (3) coding style. |
Commit Message: This is a draft PR to discuss the design of the response cache in the ext_authz filter.
We are seeking feedback on the design to make sure this is headed to the right direction.
Similar requests were discussed in #37449 and #3023
Additional Description:
Purpose:
We would like to cache the response from an external authorization server in the ext_authz filter for scalability. Depending on the use case, if you do not have to check the authentication token on every request, you can reduce the number of calls to the server by caching the response from it.
Functionality:
To use this functionality, you need to configure the name(s) of the header(s) in which the auth token is carried, e.g., "Authorization" or "x-auth-token." You can also configure the max cache size and TTL. When this is configured, ext_authz will cache the response from the external authorization server.
Implementation:
We implemented a simple cache. Responses are stored in a simple unordered_map. We implemented a simple FIFO eviction policy over the LRU policy to make the cache size small. In our benchmark, for each cache key (35 bytes), we need ~100 bytes of memory.
We store a response in the cache in the onComplete() method.
We read a cached response in the decoderHeaders() method.
Next Steps:
Risk Level: Low. This functionality would be turned off by default.
Testing: TBD
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]