https://authzed.com logo
Title
e

ensonic

01/23/2023, 11:19 AM
hi, Just read https://authzed.com/blog/acl-filtering-in-authzed/, because this is currently our biggest performance concern when it comes to scale. I feel the article ended slightly premature. It tells people how to get a list of object-ids that satisfy the query, but now you need to basically do a paginated query against your 'other' database such as
SELECT * FROM TABLE docs WHERE doc-id IN (id1, id2, ..., idn)
to list documents the given user can e.g. view with some metadata. And if the user can view 1000 docs, I doubt one can put those 1000 doc-ids into the query. I wonder what people practically do here.
(Please reply via thread)
v

vroldanbet

01/23/2023, 12:20 PM
You are correct this is problematic when JOINing results from SpiceDB and the client application tables. We don't have a good answer for that right now, and the possible solutions are being explored in https://github.com/authzed/spicedb/issues/207
e

ensonic

01/23/2023, 3:05 PM
Thanks. I've found that issue too. I understand how that cache helps with the overall use case, but my main concern is the join. I am wondering if people e..g add a dedicated server-side query api to address this.
v

vroldanbet

01/23/2023, 5:47 PM
I don't think I can point you to a specific example on how folks do this. What we are exploring is: - Bloom Filter that could be used in the database side - have client application consume the permission stream into their database so they can JOIN with the tables to filter
j

jzelinskie

01/23/2023, 11:21 PM
Some folks are consuming the Watch API and then calling th Lookup APIs and saving the results into their datastore in a format where they can then perform JOINs. That's another option, if eventual consistency is okay for your application. It's also known to scale to quite a large amount of traffic on the Postgres datastore specifically.
e

ensonic

01/24/2023, 3:25 PM
Thanks for the answers!
We'll do some benchmark