https://authzed.com logo
lots of people see https github com
j

Joey

04/25/2023, 11:58 PM
f

fierro

04/26/2023, 6:34 PM
this issue mentions that
Various tests show approximately ~100ms for a LookupResources call on a SpiceDB with 100-250K relationships, and a graph nesting of 3-5 deep.
Do you guys have any reference benchmarks tests available to check out? Can't get anywhere close to this, curious what the nature of this
LookupResources
request was - - how many resources were returned, what the schema was, etc
j

Joey

04/26/2023, 6:35 PM
only the ones defined for point benchmarking
it will heavily depend on your schema
if you use intersections, exclusions or caveats, for example
then we have to issue post-reachable checxks
which vastly slows things down
f

fierro

04/26/2023, 6:36 PM
kk thanks
j

Joey

04/26/2023, 6:36 PM
we're working on adding cursoring to LR to reduce the overhead
but realistically, it depends highly on what your model is and what your use case is
that's why WatchLookupResources is a proposal
f

fierro

04/27/2023, 1:25 AM
can you point me to the benchmarking set up? Would like to compare the reference schema / dataset to my own.
j

Joey

04/27/2023, 1:33 AM
as stated above, its for point benchmarking
its mostly unit tests for benchmarking very specific scenarios and will absolutely not reflect real data shapes
the reference data set has maybe 10s of relationships
f

fierro

04/27/2023, 1:39 AM
thank you! The issue above mentions
Various tests show approximately ~100ms for a LookupResources call on a SpiceDB with 100-250K relationships, and a graph nesting of 3-5 deep.
so I was ideally looking that dataset. I have a similar data cardinality and only two levels of nesting and seeing ~2seconds for lookupResources, no exclusions, etc
j

Joey

04/27/2023, 1:40 AM
sure
that was a manual test we ran many, many moons ago
you'll have to look at an OTEL trace to see how its running on your specific data set
after all, its possible you're trying to return a very large number of results
the above manual test was 100-250K relationships, but only 10s of results max
f

fierro

04/27/2023, 1:42 AM
I see
yeah, trying to return 100k+ results
j

Joey

04/27/2023, 1:43 AM
oh yeah
that's almost certainly the reason then
what do you intend to do with 100k+ results?
f

fierro

04/27/2023, 1:55 AM
haha. well, I'm trying to solve ACL filtering on LIST apis. one of the ways I was hoping to test is loading in all entities and do some post-filtering
j

Joey

04/27/2023, 1:56 AM
I suspect at that scale, you'll want to find the items in your DB first and then check them
we're working on adding cursor support to LookupResources now
so rather than trying to load 100k+ results at once, you'll be able to stream them more efficiently
f

fierro

04/27/2023, 1:57 AM
yeah that would work too
j

Joey

04/27/2023, 1:57 AM
would you be able to share your schema and over which permission you're invoking the LR call?
f

fierro

04/27/2023, 1:59 AM
definitely
will send you the schema without exclusions, and with. the problem with exclusions is a lot gnarlier
j

Joey

04/27/2023, 2:05 AM
yeah, exclusions will make things slower
f

fierro

04/27/2023, 2:05 AM
yeah makes sense. I'm learning more about how things are implemented
j

Joey

04/27/2023, 2:06 AM
but we have a number of improvements (like cursors) coming to LR to make this much more manageable
f

fierro

04/27/2023, 2:17 AM
cool. yeah been trying to figure out this ACL filtering problem, its tough. Doing post filtering via issuing a bunch of CheckPermissions calls after reading from DB works but is slow, doing post-filtering via precomputing full set of Resources via LookupResources is slow/clunky, and replicating some permissions data from SpiceDB into main datastore isn't trivial (we will be serving LIST apis out of elastic search, so we'll need to build some kind of system leveraging Lookup Watch API and stuff list of authorized users into objects indexed in Elastic)
j

Joey

04/27/2023, 2:27 AM
yeah, that's why https://github.com/authzed/spicedb/issues/207 is a proposal to allow for easy replication
it was designed with ES in mind
in theory
f

fierro

04/27/2023, 2:36 AM
nice. yeah the checking permission after loading is correct but has bad pathologies where authorized rows are scanned last from the DB. issue 207 would be sweet.