hello) i had problem with high spicedb SpiceDB #spicedb

hello) i had problem with high spicedb

Yaroslav

07/16/2024, 12:55 PM

hello) i had problem with high spicedb memory load because of LookupResources request. I tried to add limits to this requests and its killed my postgress)))

Yaroslav

07/16/2024, 12:56 PM

https://cdn.discordapp.com/attachments/1262754582228893727/1262754753020952727/Screenshot_2024-07-16_at_14.56.28.png?ex=6697bf81&is=66966e01&hm=540e69ad57d2c4a0e624c2be8305a3aef268810b4bffa5da472d4ef8cf21fc85&

Yaroslav

07/16/2024, 12:56 PM

limit was 200

Yaroslav

07/16/2024, 12:58 PM

do you know about this problem?

vroldanbet

07/16/2024, 1:08 PM

did the spikes started happening when you added pagination? did those spikes not happen without pagination?

yetitwo

07/16/2024, 1:09 PM

it would also help to know the general shape of your schema and data

Yaroslav

07/16/2024, 1:23 PM

yes, only after limits

Yaroslav

07/16/2024, 1:25 PM

i didnt have spikes on postgress, but i had spikes on spice db memory when i did LookupResources for user with 1000+ relations

vroldanbet

07/16/2024, 1:25 PM

any chances you can create a

zed backup

export with obfuscation via

zed backup redact

and send it our way?

Yaroslav

07/16/2024, 1:27 PM

definition user {} definition anonymous {} definition link { relation owner: user relation member: user relation scope: user | group | anonymous permission membership = owner + member permission can_member_be_added = owner + scope + scope->membership permission has_access = membership permission can_view = membership } definition group { relation owner: user | group relation member: user | group#member permission membership = member + member->membership + owner permission has_access = membership permission can_view = has_access } definition project { relation owner: user relation parent: folder relation viewer: user | link | group relation editor: user | link | group relation signer: user relation commenter: user | link | group relation filler: user permission can_view = viewer + can_edit + viewer->membership + parent + parent->can_view + can_fill + can_comment + can_sign permission can_edit = editor + editor->membership + parent + parent->can_edit + can_all permission can_sign = signer + can_fill permission can_all = owner permission has_access = can_view permission can_comment = commenter + can_edit + parent + parent->can_comment + commenter->membership permission can_fill = filler } definition folder { relation owner: user relation parent: folder relation viewer: user | link | group relation editor: user | link | group permission can_view = can_edit + viewer + viewer->membership + parent + parent->can_view permission can_edit = can_all + editor + editor->membership + parent + parent->can_edit permission can_all = owner permission has_access = can_view }

Yaroslav

07/16/2024, 1:28 PM

request:

Copy code

return &v1.LookupResourcesRequest{
        ResourceObjectType: permission.DEF_PROJECT,
        Permission:         permission.PERM_CAN_VIEW,
        Subject: &v1.SubjectReference{
            Object: &v1.ObjectReference{
                ObjectType: permission.DEF_USER,
                ObjectId:   userId,
            },
        },
        OptionalLimit: u.config.CONSUMER.StreamLimit,
        Consistency: &v1.Consistency{
            Requirement: &v1.Consistency_FullyConsistent{FullyConsistent: true},
        },
    }

Yaroslav

07/16/2024, 1:31 PM

i will ask our devops team

vroldanbet

07/16/2024, 5:04 PM

@Yaroslav we are experimenting with a new LR implementation that is showing promising results. If you want to give it a go, we'd appreciate any feedback: https://github.com/authzed/spicedb/pull/1905

2 Views

Previous Next