https://authzed.com logo
Join Discord
Powered by
<@!847483469982597140> yep, we have an internal de...
# spicedb
j
@User yep, we have an internal design I put together for exactly that stream of changes, and then coupling it to a cache that can be fed to something like ElasticSearch
j
Cool! If a relationship to one resource kind changes that affects another type of resource's permission(s), will the Watch API still stream that change? Or will it only stream permission changes for the type of resource that was mutated? Not sure I fully understand the design there, but it sounds like you guys are starting this work. Do you have an open RFC doc or something I can refer to to read up on the proposed design?
j
not yet; I wrote this a few months ago and then it was set aside while we worked on other things (like open sourcing)
would you/your colleagues be able to devote engineering time to implementation if we come up with a working proposal?
j
For sure
I'd be happy to tackle it if you guys have a design proposal you'd like to run by me.
j
well, we'd run it as a public proposal in the Github issues to allow for public discussion
but before we do so, we should ensure that it'll be picked up, as otherwise it might accidentally languish
j
Yeah, that sounds great. That's all I meant.. If there's an open proposal then I can start looking at it and I'd be happy to be assigned to it and tackle it.
j
okay; I'll update the proposal and bring it over into an issue
a few technical background questions
1) are you guys using ElasticSearch or another indexing system
2) what level of consistency are you hoping to have at any particular moment?
j
> are you guys using ElasticSearch or another indexing system We're using a lot of different systems. ElasticSearch is the primary engine backing our app search engines. But we also index data into mongodb and others for other use cases like analytics and reporting etc... > what level of consistency are you hoping to have at any particular moment? I envision the client watching for changes to have to also respect the zookie protocol. If they do not, then they can't guarantee consistent evaluations. That also gives the client the ability to choose what level of consistency is actually required. Our reporting engine, for example, can accept a little higher consistency window than our app search engine. Our platform's app search engine should be consistent within a couple of seconds in general. Does that answer your question? I can provide more detail, but that's a summary.
j
yeah, makes sense
j
👍
j
the one caveat is if you gave a zedtoken "ahead" of the cache, it would simply not be able to return results (because a bunch of things could have changed)
the design I envision is that the call returns the zedtoken pointing to when it was computed, and then if you're filtering based on those results, you'd call Check on any items that have a newer zedtoken (potentially)
which should be few
j
I think that's an appropriate compromise. I need to think about it a little more though. I do think that it's fair to block/wait or fail fast if the zookie provided is ahead of the latest cached entry. In that case it would be the clients responsibility to reattempt the request.
j
yep
j
Cool, yeah we're on the same page. And, in general, these edge cases will likely not be encountered by our integrations. We don't have super tight requirements of consistent checks for our application. Some applications will require more strict constraints, but most will be quite lenient.
At least for these external access-aware search indexes. I think today that things propagate sub minute in some circumstances 🤣 so if we can bring that into sub second then we're dandy!
j
well, the design proposal is, in theory, massively scalable
so if you ran enough nodes, it should in theory be SUPER fast
j
Cool! I look forward to reading the proposal. I can commit company time to work on it as well, so you have my word that at least myself or my team can pitch in on the effort.
j
good to know. I'd love to get them engaged in here too once the proposal is up, so we can all discuss the design 🙂
j
Joey, did you open an issue for this?
j
@User not yet; I've been polishing up the proposal. Will likely post tomorrow
I had to remove all our internal references and whatnot
j
👍
Over here at Adobe we have a garage week coming up where we can dedicate a whole two weeks to development on any project we see fit. This would be a good time to dedicate some work time and resources to any help/support in this effort or others.
j
getting the proposal reviewed now
j
Sweet. I don't know if that's too rushed, but if it worked out to fit this work into our garage week I could get one or two additional engineers potentially to help out if needs be.
j
j
Provided some feedback 🙂
j
@User responded
we can also discuss here in more realtime if that's easier
j
Sounds good. I like the discussion going on. Good stuff 👍 I responded back 🙂
j
just responded to your response
j
Sweet! Back at ya 😉
I think I've worked through most of my feedback. I like the overall approach. Some of my design ideas would be icing on the cake for our client integration(s) at Adobe, but overall I'm feeling confident in it supporting our use cases.
j
cool
@User if you can ask for feedback from others who might contribute, that would help too
and then once we get community sign off, we can start talking about dividing up the implementation
6 Views
PreviousNext
Powered by