Перейти к основному контенту

Оптимизация производительности

When applied in a production environment with millions of users or permissions, you may encounter a performance downgrade in Casbin enforcement. There are usually two causes:

Высокое громкость трафика

The number of incoming requests per second is too large, for example, 10,000 requests/s for a single Casbin instance. In such cases, a single Casbin instance is usually not enough to handle all the requests. There are two possible solutions:

  1. Используйте несколько нитей для включения нескольких экземпляров Касбин, так что вы можете в полной мере использовать все ядра на машине. For more details, see: Multi-threading.

  2. Deploy Casbin instances to a cluster (multiple machines) and use Watcher to ensure all Casbin instances are consistent. For more details, see: Watchers.


You can use both of the above methods at the same time, for example, deploy Casbin to a 10-machine cluster where each machine has 5 threads simultaneously serving Casbin enforcement requests.


Высокое количество правил политики

In a cloud or multi-tenant environment, millions of policy rules may be required. Each enforcement call or even loading the policy rules at the initial time can be very slow. Такие случаи, как правило, могут быть смягчены несколькими способами:

  1. Check if your Casbin model or policy is well-designed. A well-written model and policy abstracts out the duplicated logic for each user/tenant and reduces the number of rules to a very small level (< 100). For example, you can share some default rules across all tenants and allow users to customize their rules later. Customized rules can override the default rules. If you have any further questions, please open a GitHub issue on the Casbin repository.

  2. Do sharding to let a Casbin enforcer only load a small set of policy rules. For example, enforcer_0 can serve tenant_0 to tenant_99, while enforcer_1 can serve tenant_100 to tenant_199. To load only a subset of all policy rules, see: Policy Subset Loading.

  3. Предоставить права доступа ролям RBAC вместо непосредственных пользователей. RBAC в Casbin's реализован с помощью дерева ролей в качестве кэша. So, given a user like Alice, Casbin only takes O(1) time to query the RBAC tree for the role-user relationship and perform enforcement. If your g rules don't change often, then the RBAC tree won't need to be constantly updated. See the details of this discussion here: https://github.com/casbin/casbin/issues/681#issuecomment-763801583


You can try all of the above methods at the same time.