However, some deeply recursive or wide relations can still be slow, so Zanzibar also has a pre-computation cache called Leopard that is used for a very specific subset of these relations [2]. For SpiceDB, we called our version of this cache Materialize and it is designed expressly for handling "Enterprise" levels of scale in a similar fashion, as sometimes it is simply too slow to walk these deep graphs in real-time.
[1]: https://zanzibar.tech/24uQOiQnVi:1T:4S [2]: https://zanzibar.tech/21tieegnDR:0.H1AowI3SG:2O
We have a guide on doing ACL-aware filtering and listing [2] with this API and describing other approaches for larger Enterprise scales
Disclaimer: I'm the co-founder and CTO of AuthZed, we develop SpiceDB, and I wrote our most recent implementation of LookupResources
[1]: https://buf.build/authzed/api/docs/main:authzed.api.v1#authz... [2]: https://authzed.com/docs/spicedb/modeling/protecting-a-list-...
One of the major benefits of a centralized authorization system is allowing for permissions queries across resources and subjects from multiple different services/sources (of course, with the need to synchronize the data in)
Happy to expand on how some users do so, if you're curious.
- SpiceDB (https://github.com/authzed/spicedb)
- Permify (https://github.com/Permify/permify)
- Warrant (https://github.com/warrant-dev/warrant)
- Ory Keto (https://github.com/ory/keto)Fine-grained authorization as an incremental computation problem
1. You have a column on your objects you want secured as an LTREE[] 2. You add a GIST index on that column
The values should be the different hierarchy paths to access the object starting with a "type" e.g departments.root.deptA
When you run a query, depending on how you want to access you use a <@ query. E.g. I'm a user with root access to all depts "col <@ 'departments.root'::ltree" or I'm a user in dept A "col <@ 'departments.root.deptA'::ltree" etc
The values should be the different hierarchy paths to access the object starting with a "type" e.g departments.root.deptA
When you run a query, depending on how you want to access you use a <@ query. E.g. I'm a user with root access to all depts "col <@ 'departments.root'::ltree" or I'm a user in dept A "col <@ 'departments.root.deptA'::ltree" etc
Trees with RDBMSes do stay a pain, though :-)
>The main risk with pre-computed permissions is data getting out of sync.
It would make sense to have permissions be a first class concept for databases and to ensure such a desync could never happen. Data being only read or written from specific users is a very common thing for data so it would be worth having first class support for it.
Much more likely I think is that you can’t use the db to prevent invalid states here (unique constraint, etc) and you’re dependent on other areas of the code correctly implementing concurrency controls. Race condition in resource A causes problems in your permissions table now.
And just from a general engineering perspective, you should assume things are going to fail and assess what your path forward looks like when they do. Recovery script sounds like a good idea for a critical area.
And that it is an internal google system?
The downside to this approach is that it requires some planning and to maintain in code what mask retrieves what permission(s).
Scales both on the tech, and on the human side - e.g. your product manager can add roles (with CI approval) without requiring engineering involvement.
(I'm biased but still true)