hi, Just read https://authzed.com/blog/acl-filteri...
# spicedb
e
hi, Just read https://authzed.com/blog/acl-filtering-in-authzed/, because this is currently our biggest performance concern when it comes to scale. I feel the article ended slightly premature. It tells people how to get a list of object-ids that satisfy the query, but now you need to basically do a paginated query against your 'other' database such as
SELECT * FROM TABLE docs WHERE doc-id IN (id1, id2, ..., idn)
to list documents the given user can e.g. view with some metadata. And if the user can view 1000 docs, I doubt one can put those 1000 doc-ids into the query. I wonder what people practically do here.
(Please reply via thread)
v
You are correct this is problematic when JOINing results from SpiceDB and the client application tables. We don't have a good answer for that right now, and the possible solutions are being explored in https://github.com/authzed/spicedb/issues/207
e
Thanks. I've found that issue too. I understand how that cache helps with the overall use case, but my main concern is the join. I am wondering if people e..g add a dedicated server-side query api to address this.
v
I don't think I can point you to a specific example on how folks do this. What we are exploring is: - Bloom Filter that could be used in the database side - have client application consume the permission stream into their database so they can JOIN with the tables to filter
j
Some folks are consuming the Watch API and then calling th Lookup APIs and saving the results into their datastore in a format where they can then perform JOINs. That's another option, if eventual consistency is okay for your application. It's also known to scale to quite a large amount of traffic on the Postgres datastore specifically.
e
Thanks for the answers!
We'll do some benchmark