docs: Add guidance around resource utilization

There are many ways this question can be answered so this is not a final answer but instead a starting point. In the future we can expand on this section to include more use-case specific resource utilization guidance however for the time being this is a good start. Fixes #1601 Signed-off-by: Torin Sandall <torinsandall@gmail.com>
open-policy-agent · Apr 17, 2020 · 5fd5349 · 5fd5349
1 parent 23e2a51
commit 5fd5349
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/docs/content/deployments.md b/docs/content/deployments.md
@@ -311,4 +311,8 @@ OPA uses the standard Go [net/http](https://golang.org/pkg/net/http/) package
 for outbound HTTP requests that download bundles, upload decision logs, etc. In
 environments where an HTTP proxy is required, you can configure OPA using the
 pseudo-standard `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment
-variables.
+variables.
+
+## CPU and Memory Requirements
+
+For more information see the [Resource Utilization section on the Policy Performance page](../policy-performance#resource-utilization).
diff --git a/docs/content/policy-performance.md b/docs/content/policy-performance.md
@@ -520,7 +520,31 @@ This gives clear feedback that the evaluations have slowed down considerably by
 > repeat the benchmarks a number of times (5-10 is usually enough). The tool requires several data points else the `p`
 > value will not show meaningful changes and the `delta` will be `~`.
 
-### Key Takeaways
+## Resource Utilization
+
+Policy evaluation is typically CPU-bound unless the policies have to pull additional
+data on-the-fly using built-in functions like `http.send()` (in which case evaluation
+likely becomes I/O-bound.) Policy evaluation is currently single-threaded. If you
+are embedding OPA as a library, it is your responsibility to dispatch concurrent queries
+to different Goroutines/threads. If you are running the OPA server, it will parallelize
+concurrent requests and use as many cores as possible. You can limit the number of
+cores that OPA can consume by starting OPA with the [`GOMAXPROCS`](https://golang.org/pkg/runtime)
+environment variable.
+
+Memory usage scales with the size of the policy (i.e., Rego) and data (e.g., JSON) that you
+load into OPA. Raw JSON data loaded into OPA uses approximately 20x more memory compared to the
+same data stored in a compact, serialized format (e.g., on disk). This increased
+memory usage is due to the need to load the JSON data into Go data structures like maps,
+slices, and strings so that it can be evaluated. For example, if you load 8MB worth of
+JSON data representing 100,000 permission objects specifying subject/action/resource triplets,
+OPA would consume approximately 160MB of RAM.
+
+Memory usage also scales linearly with the number of rules loaded into OPA. For example,
+loading 10,000 rules that implement an ACL-style authorization policy consumes approximately
+130MB of RAM while 100,000 rules implementing the same policy (but with 10x more tuples to check)
+consumes approximately 1.1GB of RAM.
+
+## Key Takeaways
 
 For high-performance use cases: