williamdclt
05/15/2024, 8:54 AMlookupResources
for every permission (~50 permissions)
- Do a bulkCheck
for every permission and every resource (~50 permissions, ~1000 resources, ~50k checks total)
I've been surprised to find that:
- lookupResources
completely overwhelms the database, the pods CPU and the pods memory even without any parallelism (1 lookup at a time)
- bulkCheck
actually performs somewhat decently (it's too slow for our use-case, but that's probably because having 50k permissions is a fundamentally flawed idea)
What I don't understand is: how can bulk-checking every single permission on every single resource possibly be more efficient than a lookupResource
? This massive bulk-check seems like the naive approach to implement lookupResources
, so lookup should work at least as well as bulk-checking (probably much better)
I'm happy to provide more hard data, but does the assumption sound correct or am I missing something?williamdclt
05/15/2024, 10:23 AMvroldanbet
05/15/2024, 10:37 AMresource:1...1000 view user:1
leads to batching SQL queries that need to check resources, so in the best case it's pretty efficient.
LookupResources
is a different monster. It needs to traverse the reachability graph for the user and permission, and depending on the existence of intersections and exclusions, it may have to issue check permissions. To support cursors, there is a bunch of metadata that needs to be tracked by the spicedb process and dispatched back and forth.
I'm sure there are opportunities to optimize the later. I'd suggest looking into the RDS analytics to see what are the queries taking place, to rule out any missing indexes at least.williamdclt
05/15/2024, 11:34 AMdefinition Document {
relation org: Organisation
relation viewers: User
permission view = org->user & viewers
}
definition User {}
definition Organisation {
user: User
}
Then I'd expect lookup document view user:1
to do something like:
- SELECT the orgs that user:1 is a member of
- SELECT the documents that are viewable by those orgs
- SELECT which documents user:1
is a viewer
of
There's an intersection in the permission, but it doesn't seem like dispatching `check`s is needed?
Again I'm sure I'm being naive. Possibly I'm using knowledge of the schema which is difficult for SpiceDB to get (eg low cardinality of Organisation, high cardinality of Document, or the fact that Organisation is alike to a tenancy boundary), but I'd be keen to understand that better: maybe I can redesign my schema to make these lookups efficient?williamdclt
05/15/2024, 11:35 AMJoey
05/15/2024, 3:33 PMJoey
05/15/2024, 3:51 PMJoey
05/15/2024, 3:51 PMwilliamdclt
05/15/2024, 4:20 PMJoey
05/15/2024, 4:21 PMJoey
05/15/2024, 4:21 PMJoey
05/15/2024, 4:21 PMJoey
05/15/2024, 4:21 PMJoey
05/15/2024, 4:22 PMJoey
05/15/2024, 4:22 PMJoey
05/15/2024, 4:22 PMwilliamdclt
05/15/2024, 5:25 PMcypher
MATCH (u:User WHERE id:1) -[:viewer]-> (d:Document),
(d) -[:org]-> (o:Organisation) -[:user]-> (u)
RETURN d.id
RDF triplestores can do it efficiently too, and there's cypher-to-sql engines as well as SPARQL-to-SQLwilliamdclt
05/15/2024, 5:26 PMJoey
05/15/2024, 5:30 PMJoey
05/15/2024, 5:30 PMwilliamdclt
05/15/2024, 5:31 PM