From 011301f06ff8e0234f05d0d3ba3122e31c2d9e81 Mon Sep 17 00:00:00 2001
From: Karl Persson <23356117+kalleep@users.noreply.github.com>
Date: Thu, 6 Feb 2025 17:16:30 +0100
Subject: [PATCH] Authz: client cache (#100195)

* Reduce client permissions cache for authz client

* Adjust server cache ttl
---
 pkg/services/authz/client.go       | 12 ++++++++++++
 pkg/services/authz/rbac/service.go | 10 +++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/pkg/services/authz/client.go b/pkg/services/authz/client.go
index 412a4e2acb9..506155df380 100644
--- a/pkg/services/authz/client.go
+++ b/pkg/services/authz/client.go
@@ -124,6 +124,10 @@ func newInProcLegacyClient(server *rbac.Service, tracer tracing.Tracer) (authlib
 		authzlib.WithGrpcConnectionClientOption(channel),
 		authzlib.WithDisableAccessTokenClientOption(),
 		authzlib.WithTracerClientOption(tracer),
+		authzlib.WithCacheClientOption(cache.NewLocalCache(cache.Config{
+			Expiry:          30 * time.Second,
+			CleanupInterval: 2 * time.Minute,
+		})),
 	)
 }
 
@@ -147,6 +151,10 @@ func newGrpcLegacyClient(authCfg *Cfg, tracer tracing.Tracer) (authlib.AccessCli
 			grpc.WithStreamInterceptor(clientInterceptor.StreamClientInterceptor),
 		),
 		authzlib.WithTracerClientOption(tracer),
+		authzlib.WithCacheClientOption(cache.NewLocalCache(cache.Config{
+			Expiry:          30 * time.Second,
+			CleanupInterval: 2 * time.Minute,
+		})),
 		// TODO: remove this once access tokens are supported on-prem
 		authzlib.WithDisableAccessTokenClientOption(),
 	)
@@ -181,6 +189,10 @@ func newCloudLegacyClient(authCfg *Cfg, tracer tracing.Tracer) (authlib.AccessCl
 			grpc.WithUnaryInterceptor(clientInterceptor.UnaryClientInterceptor),
 			grpc.WithStreamInterceptor(clientInterceptor.StreamClientInterceptor),
 		),
+		authzlib.WithCacheClientOption(cache.NewLocalCache(cache.Config{
+			Expiry:          30 * time.Second,
+			CleanupInterval: 2 * time.Minute,
+		})),
 		authzlib.WithTracerClientOption(tracer),
 	)
 	if err != nil {
diff --git a/pkg/services/authz/rbac/service.go b/pkg/services/authz/rbac/service.go
index 26bd352903c..349ccd53558 100644
--- a/pkg/services/authz/rbac/service.go
+++ b/pkg/services/authz/rbac/service.go
@@ -31,10 +31,10 @@ import (
 )
 
 const (
-	shortCacheTTL        = 1 * time.Minute
-	shortCleanupInterval = 5 * time.Minute
-	longCacheTTL         = 5 * time.Minute
-	longCleanupInterval  = 10 * time.Minute
+	shortCacheTTL        = 30 * time.Second
+	shortCleanupInterval = 2 * time.Minute
+	longCacheTTL         = 2 * time.Minute
+	longCleanupInterval  = 4 * time.Minute
 )
 
 type Service struct {
@@ -82,7 +82,7 @@ func NewService(
 		idCache:         newCacheWrap[store.UserIdentifiers](cache, logger, longCacheTTL),
 		permCache:       newCacheWrap[map[string]bool](cache, logger, shortCacheTTL),
 		teamCache:       newCacheWrap[[]int64](cache, logger, shortCacheTTL),
-		basicRoleCache:  newCacheWrap[store.BasicRole](cache, logger, longCacheTTL),
+		basicRoleCache:  newCacheWrap[store.BasicRole](cache, logger, shortCacheTTL),
 		folderCache:     newCacheWrap[map[string]FolderNode](cache, logger, shortCacheTTL),
 		sf:              new(singleflight.Group),
 	}