1

Let's take a scenario where subjects will be requesting access to many objects per second. A heavy load on a single PDP would mean increase in wait and read/write times per request.

So far I have used the AuthzForce Core project to setup a single PDP for which I have a for loop sending multiple requests (this can be done simultaneously using threads). However, this does not seem like a suitable setup for evaluating my policies in a distributed environment.

Is there any way that it can be done? Perhaps using AuthzForce Server?

Edit:

I am running a Java application which uses Authzforce Core. The program creates an instance of a PDP which loads a single policy document, and then a for loop executes multiple requests. This is all done locally within the program itself.

rshah
  • 675
  • 2
  • 12
  • 32
  • 1
    You have several options. One of them would be to use the multiple decision profile. Another would be to use the reverse query. – David Brossard Jun 09 '19 at 17:30
  • 2
    Is the PDP embedded in your app or remote server (sending requests over the network)? – cdan Jun 10 '19 at 00:17
  • So far I am running a Java application which uses the authzofrce core project, where i create an instance of pdp which loads a single policy document, and then a for loop executes multiple requests. So its all done locally within the program – rshah Jun 10 '19 at 14:39
  • @DavidBrossard Can you elaborate? – rshah Jun 10 '19 at 14:39
  • Where do you load the policy document from? Local filesystem, remote database...? – cdan Jun 23 '19 at 15:49

2 Answers2

1

Authzforce server has an option for high availability: https://github.com/authzforce/fiware/blob/master/doc/InstallationAndAdministrationGuide.rst#high-availability

You could follow the same guidelines to implement this using your single pdp.

Rafael Sisto
  • 404
  • 5
  • 19
1

It is difficult to help improve the performance here without looking at the code or the architecture, but I can give a few general tips (some of them maybe obvious to you but just to be thorough):

  1. Since the PDP is embedded in your Java app, I assume (or make sure you do) you are using AuthzForce native Java API (example on the README), which is the most efficient way to evaluate.

  2. I also assume you are (re-)using the same PDP (BasePdpEngine) instance throughout the lifetime of your application. It should be thread-safe.

  3. In order to evaluate multiple requests at once, you may try the PDP engine's evaluate(List) method ( javadoc ) instead of the usual evaluate(DecisionRequest), which is faster in some cases.

  4. If by "distributed environment", you mean that you may have multiple instances of your Java app deployed in different places, therefore multiple PDPs, the right setup(s) depend on where/how you load the policy document: local file, remote db, etc. See my last comment. As mentioned in Rafael Sisto's answer, you can reuse some guidelines from the High Availability section of AuthzForce Server installation guide there.

cdan
  • 3,470
  • 13
  • 27