We have a usecase we're having a hard
# spicedbw
wscalf
11/13/2023, 4:02 PMWe have a usecase we're having a hard time wrapping our minds around how to ReBACify. Any help would be appreciated. 🙂
wscalf
11/13/2023, 4:02 PMWe have some large datasets (approx 300k records per tenant) that users may have access to large subsets of, and that queries may match large subsets of. This seems challenging because it doesn't seem like a great match for the lookup API (due to the large set of authorized records) or bulk-check (due to the large set of matched records.) And just to make it spicier- we need to handle counts, sorting, and pagination, which seems like we would need to process the entire dataset.
We're considering some alternatives, like making the authorization more coarse-grained by using the lookup API to get part of the way there (to a handful of items) and then using that data in the query, but that means less expressive authz policy. Or, something more exotic, like building out a table of subjects and authorized resources that could be joined, but that seems like a mess.
Thoughts/insights/suggestions?
c
corkrean
11/13/2023, 4:35 PMHey @wscalf, we are building two Enterprise features for this use case, Lookup Watch and Tiger Cache.
The Lookup Watch API Service will provide a stream of updates indicating changes in the accessibility of a kind of resources, for a specific kind of subject. You can store these updates client side in a DB or search index. By storing the updates in your DB, you can presort the data ahead of incoming requests.
Tiger Cache will make use of the Lookup Watch API to provide a static cache of permissable resources (of a particular kind) to the specified kind of subject. This feature will make it possible to perform LookupResources requests that return hundreds of thousands of results in a few milliseconds.
This Github issue represents the gist of what we are building, though it's not completely up to date. https://github.com/authzed/spicedb/issues/207
corkrean
11/13/2023, 4:36 PMIf it makes sense to discuss more over a call, shoot me an email and we can set something up evan.corkrean@authzed.com