Uploaded image for project: 'Red Hat Developer Hub Bugs'
  1. Red Hat Developer Hub Bugs
  2. RHDHBUGS-1239

RBAC performance issues with large number of entities

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.5.0
    • 1.3.0
    • RBAC Plugin
    • None
    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      = RBAC performance for large user and group counts

      Previously, organizations with a large number of users and groups experienced slower response times due to RBAC permission evaluations. This update includes performance improvements to help mitigate those slowdowns.
      Show
      = RBAC performance for large user and group counts Previously, organizations with a large number of users and groups experienced slower response times due to RBAC permission evaluations. This update includes performance improvements to help mitigate those slowdowns.
    • Bug Fix
    • Done
    • RHDH Plugins 3264, RHDH Plugins 3265, RHDH Plugins 3266, RHDH Plugins 3267, RHDH Plugins 3268, RHDH Plugins 3269, RHDH Plugins 3270, RHDH Plugins 3271

      Description of problem:

      We are ingesting approx. 14k groups and 24k users using the LDAP plugin. We enabled the RBAC backend and frontend plugin with no user/group policy via CSV. We added ourselves as part of superadmin. We noticed most of the pages on Developer Hub take around 5-7 seconds to load. This is a huge setback to enabling RBAC on our enterprise developer hub.

      Prerequisites (if any, like setup, operators/versions):

      • Helm installation
        • Postgres:
          • CPU - 4
          • Memory: 9Gi
        • Backstage:
          • CPU - 4
          • Memory: 8Gi
      • LDAP server (Use Red Hat LDAP server ldap.corp.redhat.com)

      Steps to Reproduce

      1. Setup a RHDH using helm charts
      2. Configure LDAP provider to ingest users/group from LDAP server (ldap.corp.redhat.com, accessible over VPN)
      3. Configure basic RBAC policy using CSV and add frontend plugin.
      4. Add yourself as a superadmin in RBAC CSV
      5. Try to use RHDH as usual and notice degraded environment
      6. Try to configure RBAC using frontend plugin

      Actual results:

      There should be no visible difference of enabling RBAC on user experience with using RHDH{}

      Expected results:

      Significantly downgraded service

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Build Details:

      RHDH Version: 1.3.1
Backstage Version: 1.29.2
Upstream: https://github.com/janus-idp/backstage-showcase/tree/release-1.3 @ ee96f8e3
Midstream: https://gitlab.cee.redhat.com/rhidp/rhdh/-/commits/rhdh-1.3-rhel-9 @ e5035447
Build Time: 2024-10-22T18:32:08Z

      {}Additional info (Such as Logs, Screenshots, etc):

      LDAP configuration (values.yaml)

            - package: '@developer-platform/backstage-plugin-catalog-backend-module-ldap-transformers-dynamic@0.2.0'
        integrity: 'sha256-KlAhi+8KJ1zeTYhVigWpzHGPLiSrXclCS4xFw0RrcmI='
      - package: '@developer-platform/backstage-plugin-catalog-backend-module-ldap-dynamic@0.7.0'
        integrity: 'sha256-DtqFh8taadOpJ8TbOaqmLn0gf13gDxMSVbUDR5DL/SM='
        pluginConfig:
          catalog:
            providers:
              ldapOrg:
                default:
                  target: ldaps://ldap.corp.redhat.com
                  schedule:
                    frequency: { hours: 2 }
                    timeout: { minutes: 30 }
                    initialDelay: { seconds: 7 }
                  users:
                    dn: ou=Users,dc=redhat,dc=com
                    options:
                      timeLimit: 5000
                      paged: true
                      filter: (objectClass=rhatPerson)
                      attributes: ['cn','rhatJobTitle','uid','mail','memberOf']
                    map:
                      description: rhatJobTitle
                      memberOf: memberOf
                      displayName: cn
                      email: mail
                    set:
                      metadata.namespace: 'default'
                  groups:
                    dn: ou=adhoc,ou=managedGroups,dc=redhat,dc=com
                    options:
                      timeLimit: 5000
                      paged: true
                      filter: (objectClass=rhatRoverGroup)
                      attributes: ['cn','description','uniqueMember']
                    map:
                      name: cn
                      description: description
                      members: uniqueMember
                    set:
                      metadata.namespace: 'default'
                      spec.type: 'team'

      cc: rh-ee-pknight 

              rh-ee-pknight Patrick Knight
              rhit_savsingh Savitoj Singh
              RHIDP - Plugins
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: