https://authzed.com/blog/google-scale-authorization talks about the first in a series of scale tests we've written about

Awesome. Thanks! Any experience on how the performance varies across Postgres and cockroach? My use case doesn’t demand cockroach and my org has much more Postgres experience.

we ran similar tests on Postgres and plan to have another blog post discussing those results at some point in the near future

not to spoil it too much: Postgres scaled fairly well, but not to the levels CRDB did (because it was only operating as a single Postgres node)

Beautiful. Thanks. I’ll check out this link and stay tuned to authzed.com/blog

are you all single region and is a single postgres box going to be sufficient for your use case? my org tripped on this

permission edit = writer /** * view indicates that the user has permission to view the board, if they * are a

reader

or have

edit

permission. */ permission view = reader + edit I know I can check if a user has edit permissions but is there a way to combine this with a reader check? Basically check write access and if they don't have it, then conditionally check if they have read access? I could do two calls ofc but wanted to see if there was an easy way to do it one batched call

We are single region. Currently need to handle 1k rps at peak. I can’t see that number going above 25k rps. We care more about keeping the latency down. How was you experience migrating from Postgres to cockroach

we haven't migrated yet - just wanna make sure that you're aware that postgres replication isn't supported, so any scaling you want to do of a postgres datastore has to be vertical

there's a bulk check API, but there isn't a way to phrase your question directly

what's the use case?

gotcha ya, basically i have a user connecting to a websocket and want to check what class of stuff (read/write/deny) they can do in the "room". I was hoping for a one-shot check to see what they can do before granting them access

i think you can look up a resource but I wanted to just offload all checks straight to spicedb instead of writing my own logic to do it

if that makes sense

yeah, that makes sense

spicedb isn't really set up to answer "what computed permissions does this user have on this resource?"

for our application, when we want to figure out what a user can do on the frontend for the purposes of showing things, we're making a set of permission checks using

BulkCheck

and then displaying according to those results

Oh that’s good to know. I assumed we could go pretty far with read replicas. Do you have any idea why replication isn’t supported?

spicedb uses postgres MVCC internals to enable things like

at-exact-snapshot

consistency - it's taking postgres snapshots and then referencing them in the data by the internal postgres transaction counter ID

and those internal transaction IDs won't line up between instances

which means you can have "missing" data or inconsistent results

Good to know. Thank you for calling that out

Having trouble using the bulk checkpermissions api over rest. Wondering if anyone has the same issue? Was trying to hit

'/v1/experimental/permissions/bulkcheckpermission'

on

https://gateway-alpha.authzed.com

with a post request

Getting

{ code: 5, message: 'Not Found', details: [] }

Does spicedb support any kind of audit log for the checks? I see a watch API for the writes, but I'd also like to be able to push an audit log of accesses up to BigQuery

might be that it's not released yet on authzed

not currently no

Could someone help me understand how to represent this relationship? https://play.authzed.com/s/PBKZaLd3Enku/schema I have two resources: users and rooms. Users may occupy rooms. Users should only be able to

view

other users that have access to a common room.

I think my

room

definition is fine, but my

user

block might be way off. I captured assertions that I'm trying to satisfy in the assertions tab