Measure performance impact of JWT+Lua authorization in Envoy #23
Description
Background
We need to quantify the performance overhead of our JWT+Lua authorization filter chain compared to the legacy unauthenticated baseline.
Measurement Strategy
1. A/B Test: Same S3 Operations
Run identical S3 operations (PUT/GET/DELETE) through:
- Baseline: Envoy with auth disabled (legacy mode)
- Test: Envoy with JWT+Lua enabled
Metrics to collect:
- End-to-end latency (client-observed)
- Envoy stats (CPU usage, request time histograms)
- P50/P95/P99 latencies
2. Isolate Auth Cost from S3 Cost
Since S3 dominates wall-clock time, add a controlled test:
- Deploy a local upstream (e.g., httpbin-style echo server) behind Envoy
- Measure with/without filters to isolate pure filter overhead
- This removes S3 variability and shows true authorization cost
3. Vary Token Grant Count
Test how authorization scales with token complexity:
- Generate tokens with varying grant counts:
- 6 grants (current baseline)
- 60 grants (10x)
- 600 grants (100x)
- Measure where Lua matching performance degrades
- Identify if we need optimization for high-grant scenarios
Success Criteria
- Document baseline vs JWT+Lua overhead percentage
- Identify if overhead is acceptable for production use
- Determine if we need optimization (e.g., caching, native filter)
- Establish performance regression tests
Implementation Notes
- Use existing infrastructure in
tests/integration/ - Consider adding performance benchmarks to CI
- Document results in
docs/performance.md
Related Files
- Current implementation:
lambda_handlers/envoy_auth/ - Auth filter config:
infra/raja_poc/constructs/envoy_proxy.py