Engine performance

[zeno521]

Hi AuthzForce team,

Have you tested or if you know what is the maximum number of policies roughly the engine will be able to process without noticeable performance drop please? Or maybe the number of rules/conditions instead of policies? Many thanks!

[cdanger]

Hello, we tested the limits a while back on AuthzForce Core 15.1.0 but it was still using java 8 so before we moved to Java 17 and made significant changes to the code, so I would consider the results back then obsolete. I expect/hope things have improved since then. Unfortunately, we haven't done any serious performance testing since the upgrade to Java 17. But this is something we'd like to do, not sure when yet.

In the meantime anyway, you would have to be a little bit more specific about your use case, as there are many factors that can impact the max number of rules. If that helps, I can give a few hints for a very simple use case, then you would have to test it for yourself. For instance, let's say you have a single Policy, and each Rule has only one Target Match on a AttributeDesignator (no AttributeSelector), and no Condition, and you are not using any PIP, then I would say the maximum number of rules (before you hit CPU/memory limits) still very much depends on:

• The XACML function(s) you use as Match function(s): applying boolean-equal or integer-equal has obviously not the same impact as string-regexp-match.
• The size of the attribute values being matched. E.g. applying a string-regexp-match on a 10-char string is nothing compared to regex matching on 10000-char text documents.
• The Java version: you may try with Java 17 or a more recent version such as the latest 21 LTS and get different results.
• The JVM options used: refer to the java command's Performance tuning examples for more details. Usually, adding the -server option, and setting -Xms and -Xmx properly (to the same value) is a good start. Also we observed in the past that using the Aalto XML processor as default XMLInputFactory with JVM option -Djavax.xml.stream.XMLInputFactory=com.fasterxml.aalto.stax.InputFactoryImpl can improve the performance of XACML/XML request processing (obviously if you use the JSON Profile or AuthzForce native API instead of XML, this does not apply).
• Your server's resources (CPU, memory, etc.)
• The number of concurrent threads: how many threads calling the PDP engine simultaneously?

The JMH project is a toolkit that gave us satisfaction in the past for that kind of microbenchmarking if you are interested.