简体繁体 English

在分布式环境中模拟多个策略决策点（PDP）

[英]Simulating multiple Policy Decision Points (PDPs) in distributed environment

原文 2019-06-08 18:09:54 5 2 distributed/ xacml/ pep/ pdp/ authzforce

Let's take a scenario where subjects will be requesting access to many objects per second. 让我们假设一个场景，主题将每秒请求访问多个对象。 A heavy load on a single PDP would mean increase in wait and read/write times per request. 单个PDP上的沉重负担意味着每个请求的等待和读取/写入时间增加。

So far I have used the AuthzForce Core project to setup a single PDP for which I have a for loop sending multiple requests (this can be done simultaneously using threads). 到目前为止，我已经使用AuthzForce Core项目设置了一个PDP，为此我有一个for循环发送多个请求（可以使用线程同时完成）。 However, this does not seem like a suitable setup for evaluating my policies in a distributed environment. 但是，这似乎不适合在分布式环境中评估我的策略。

Is there any way that it can be done? 有什么办法可以做到吗？ Perhaps using AuthzForce Server ? 也许使用AuthzForce服务器？

Edit : 编辑：

I am running a Java application which uses Authzforce Core. 我正在运行使用Authzforce Core的Java应用程序。 The program creates an instance of a PDP which loads a single policy document, and then a for loop executes multiple requests. 该程序创建一个加载单个策略文档的PDP实例，然后for循环执行多个请求。 This is all done locally within the program itself. 所有这些都在程序本身内部完成。

2 个解决方案

Authzforce server has an option for high availability: https://github.com/authzforce/fiware/blob/master/doc/InstallationAndAdministrationGuide.rst#high-availability Authzforce服务器具有高可用性选项： https : //github.com/authzforce/fiware/blob/master/doc/InstallationAndAdministrationGuide.rst#high-availability

You could follow the same guidelines to implement this using your single pdp. 您可以遵循相同的准则来使用单个pdp实施此操作。

It is difficult to help improve the performance here without looking at the code or the architecture, but I can give a few general tips (some of them maybe obvious to you but just to be thorough): 在不查看代码或体系结构的情况下，很难帮助提高性能，但是我可以给出一些一般性的提示（其中一些可能对您显而易见，但只是为了更全面）：

Since the PDP is embedded in your Java app, I assume (or make sure you do) you are using AuthzForce native Java API (example on the README), which is the most efficient way to evaluate. 由于PDP嵌入在Java应用程序中，因此我假设（或确保您这样做）您正在使用AuthzForce本机Java API （自述文件中的示例），这是最有效的评估方法。
I also assume you are (re-)using the same PDP ( BasePdpEngine ) instance throughout the lifetime of your application. 我还假设您在应用程序的整个生命周期中都（重新）使用相同的PDP（ BasePdpEngine ）实例。 It should be thread-safe. 它应该是线程安全的。
In order to evaluate multiple requests at once, you may try the PDP engine's evaluate(List) method ( javadoc ) instead of the usual evaluate(DecisionRequest) , which is faster in some cases. 为了一次评估多个请求，您可以尝试使用PDP引擎的evaluate(List)方法（ javadoc ），而不是通常的evaluate(DecisionRequest) ，这种方法在某些情况下会更快。
If by "distributed environment", you mean that you may have multiple instances of your Java app deployed in different places, therefore multiple PDPs, the right setup(s) depend on where/how you load the policy document: local file, remote db, etc. See my last comment. 如果使用“分布式环境”，则意味着您可能在不同位置部署了Java应用程序的多个实例，因此部署了多个PDP，正确的设置取决于加载策略文档的位置/方式：本地文件，远程数据库，等等。请参阅我的最后评论。 As mentioned in Rafael Sisto's answer, you can reuse some guidelines from the High Availability section of AuthzForce Server installation guide there. 如Rafael Sisto的答案中所述，您可以在此处重复使用AuthzForce Server安装指南的“高可用性”部分中的一些指南。