Cache the results of is_admin_or_superuser_check (openedx#146)

* refactor: cache the results of is_admin_or_superuser_check

is_admin_or_superuser_check is being called once per policy when
checking enforcement, creating a potential performance issue with
numerous calls to the database. This adds a brief cache to offload some
of the burden, but we will need a better fix long term.

* refactor: Add RBAC admin cache constants

* refactor: Use RequestCache for RBAC admin matcher

By using the RequestCache instead of the Django cache we are able to
have a thread-local memory copy of the user's superuser / staff state
that exists only for the length of the request. This will save a large
number of round trips to the cache backend.

* chore: Update version and changelog

---------

Co-authored-by: Tycho Hob <[email protected]>

Author: bmtcril

CHANGELOG.rst

@@ -16,6 +16,14 @@ Unreleased
 
 *
 
+0.19.2 - 2025-11-25
+********************
+
+Performance
+===========
+
+* Use a RequestCache for is_admin_or_superuser matcher to improve performance.
+
 0.19.1 - 2025-11-25
 ********************
 

Makefile

@@ -37,6 +37,7 @@ PIP_COMPILE = pip-compile $(PIP_COMPILE_OPTS)
 
 compile-requirements: ## compile the requirements/*.txt files with the latest packages satisfying requirements/*.in
 	pip install -qr requirements/pip-tools.txt
+	pip install -qr requirements/pip.txt
 	pip-compile -v ${COMPILE_OPTS} --allow-unsafe --rebuild -o requirements/pip.txt requirements/pip.in
 	pip-compile -v ${COMPILE_OPTS} -o requirements/pip-tools.txt requirements/pip-tools.in
 	pip install -qr requirements/pip.txt

openedx_authz/__init__.py

@@ -4,6 +4,6 @@
 
 import os
 
-__version__ = "0.19.1"
+__version__ = "0.19.2"
 
 ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))

openedx_authz/engine/enforcer.py

@@ -151,8 +151,6 @@ def configure_enforcer_auto_save_and_load(cls):
 
         if auto_load_policy_interval > 0:
             cls.configure_enforcer_auto_loading(auto_load_policy_interval)
-        else:
-            logger.warning("CASBIN_AUTO_LOAD_POLICY_INTERVAL is not set or zero; auto-load is disabled.")
 
         cls.configure_enforcer_auto_save(auto_save_policy)
 

openedx_authz/engine/matcher.py

@@ -1,6 +1,7 @@
 """Custom condition checker. Note only used for data_library scope"""
 
 from django.contrib.auth import get_user_model
+from edx_django_utils.cache import RequestCache
 
 from openedx_authz.api.data import ContentLibraryData, ScopeData, UserData
 from openedx_authz.rest_api.utils import get_user_by_username_or_email
@@ -26,15 +27,26 @@ def is_admin_or_superuser_check(request_user: str, request_action: str, request_
               ContentLibraryData scopes), False otherwise (including when user
               doesn't exist or scope type is not supported)
     """
+
+    scope = ScopeData(namespaced_key=request_scope)
+    username = UserData(namespaced_key=request_user).external_key
+    request_cache = RequestCache("rbac_is_admin_or_superuser")
+
+    # TODO: This special case for superuser and staff users is currently only for
+    # content libraries. See: https://github.com/openedx/openedx-authz/issues/87
+    if not isinstance(scope, ContentLibraryData):
+        return False
+
+    cached_response = request_cache.get_cached_response(username)
+    if cached_response.is_found:
+        return cached_response.value
+
     try:
-        username = UserData(namespaced_key=request_user).external_key
         user = get_user_by_username_or_email(username)
     except User.DoesNotExist:
         return False
 
-    scope = ScopeData(namespaced_key=request_scope)
-
-    if isinstance(scope, ContentLibraryData):
-        return user.is_staff or user.is_superuser
+    is_allowed = user.is_staff or user.is_superuser
+    request_cache.set(username, is_allowed)
 
-    return False
+    return is_allowed

openedx_authz/settings/test.py

@@ -44,6 +44,7 @@ def plugin_settings(settings):  # pylint: disable=unused-argument
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
+    "edx_django_utils.cache.middleware.RequestCacheMiddleware",
 ]
 
 TEMPLATES = [

requirements/base.in

@@ -9,4 +9,5 @@ pycasbin                    # Authorization library for implementing access cont
 casbin-django-orm-adapter   # Adapter for Django ORM for Casbin
 edx-opaque-keys             # Opaque keys for resource identification
 edx-api-doc-tools           # Tools for API documentation
+edx-django-utils            # Used for RequestCache
 edx-drf-extensions          # Extensions for Django Rest Framework used by Open edX

requirements/base.txt

@@ -19,7 +19,9 @@ cffi==2.0.0
 charset-normalizer==3.4.3
     # via requests
 click==8.3.0
-    # via edx-django-utils
+    # via
+    #   -c requirements/constraints.txt
+    #   edx-django-utils
 cryptography==46.0.2
     # via pyjwt
 django==4.2.24
@@ -57,7 +59,9 @@ drf-yasg==1.21.11
 edx-api-doc-tools==2.1.0
     # via -r requirements/base.in
 edx-django-utils==8.0.1
-    # via edx-drf-extensions
+    # via
+    #   -r requirements/base.in
+    #   edx-drf-extensions
 edx-drf-extensions==10.6.0
     # via -r requirements/base.in
 edx-opaque-keys==3.0.0

requirements/constraints.txt

@@ -10,3 +10,6 @@
 
 # Common constraints for edx repos
 -c https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt
+
+# Different packages want different versions of click, we force the most compatible one here
+click==8.3.0

requirements/dev.txt

@@ -45,6 +45,7 @@ charset-normalizer==3.4.3
     #   requests
 click==8.3.0
     # via
+    #   -c requirements/constraints.txt
     #   -r requirements/pip-tools.txt
     #   -r requirements/quality.txt
     #   click-log
@@ -196,7 +197,7 @@ packaging==25.0
     #   tox
 path==16.16.0
     # via edx-i18n-tools
-pip-tools==7.5.1
+pip-tools==7.5.2
     # via -r requirements/pip-tools.txt
 platformdirs==4.4.0
     # via