https://authzed.com logo
Join Discord
Powered by
Looking up indirect subjects, our schema
# spicedb
j
Looking up indirect subjects, our schema represents something like this:
Copy code
definition user {}

definition person {
    relation owner: tenant
    relation representation: user

    permission view = owner->member
}

definition tenant {
    relation member: person#representation
}
Now we are seeing an big performance hit looking up if user:a can see person:b, when an tenant has a lot of members (> 10k). It follows the following path:
Copy code
✓ person:william view
└── ✓ tenant:main member
    └── ✓ person:jan,john,joost,william representation
        └── user:3
It first looks up all the people that are a member of our tenant, then it loops through all the people until it finds the user (representation) with id 3. Any recommendations on how we could handle this lookup more efficiently? We would like to keep our abstraction of an user representing a person instead of making users direct members of the tenant.
y
it's basically expected when you have a schema structure like this. what's the business logic that led to this structure? like what's the use case?
j
So people are entities that are managed by people, but not all people can login. People that can login are represented by an user, which is identified by its id in an authentication server, e.g. keycloak.
y
ah, so like an hr software sort of use case?
j
Yeah, its like that. An user "admin/ manager" can manage its people, but the "admin/ manager" can also manage itself or other "admin/ manager"s
y
so this is a LookupSubjects with a specific 
person
as the resource and 
view
as the permission?
j
Yes, also when checking the permission e.g. 
zed permission check person:william view user:3
y
yeah, i don't think there's a way to work around the fact that 
member
is a wide relation.
why are you trying to avoid having users attached to the tenant?
i suppose if you have the 
person
id associated with a given user you can skip that hop 🤔
j
Yeah there are two solutions avoiding this whole problem. Indeed, attaching the users directly to the tenant as members. Or resolving the person and throwing out the whole user definition.
So if there is no way around solving it efficiently with the abstraction in spiceDB, I will have to go that way. The main reason for it was that it is more clean to store the userid in spiceDB and resolve it to a person. So our services (microservice arch) know of the user and never need to know that a person exists.
y
but something is writing the relation between the user and the person, yeah?
is there a reason that same thing can't also write a relation between the user and the tenant?
j
I am sure it can 🙂
Thanks for letting know that this path/ wide relationship thing is expected. We will need to work around that.
y
sure thing! and it's theoretically something that will improve as we continue to optimize SpiceDB and implement a graph query planner - as much as possible we'd like to make business logic performant and avoid needing structural workarounds to problems
but wide relations are currently a Hard Problem
j
for now, you can also change your chunk size from 
100
(the default) to 
1000
(or more), which should help
the flag is 
--dispatch-chunk-size
j
Doubt that that is really making an impact on our setup, we see it blocking in it's 
QueryRelationships
relation call for more than 10 seconds.
j
in check?
j
Yes, specificly the CheckBulkPermissions.
j
that seems concerning; even selecting 10K rows from a table shouldn't take 10s
j
The 10s is the worst case scenario. With >200k members on 1 tenant, we see performance impact starting from >10k.
6 Views
PreviousNext
Powered by