spicedb icon indicating copy to clipboard operation
spicedb copied to clipboard

Published 20 hours ago verified publisher icon authzed

Bulk check API

Open gonzalad opened this issue 3 years ago • 4 comments
trafficstars

Hello,

I'm evaluating spicedb (very nice product btw !).

I'd like to handle the following use case:

My front-end app calls my rest API to display the list of objects returned by the API. The last column of the list is an 'Actions' column. This column contains the list of actions that can be executed by the current user on the given object.

I'd imagine calling SpiceDb API to evaluate a [list of permissions] for a given user and for a [list of objects]. This way, I'd know the buttons I need to display in each row of the actions column.

I could of course do that by calling the checkPermission API in a loop, but it won't scale

Is there something like a bulk checkPermission API ?

Thanks !

gonzalad avatar May 29 '22 19:05 gonzalad

Hey there!

Feel free to jump into Discord if you'd like to discuss your particular example more often.

In the past, when we considered bulk checking, we figured that the frame multiplexing in HTTP2 would handle this reasonably well. We're totally open to re-evaluating that, if folks are find otherwise.

jzelinskie avatar Jul 01 '22 04:07 jzelinskie

@gonzalad would it be sufficient to be able to check for the same permission on different object IDs, or do you need different object types + permissions as well?

josephschorr avatar Sep 01 '22 20:09 josephschorr

Hi @josephschorr , my use case is to check a list of permissions on different object Ids (all object Ids being of the same type)

For instance, my use case could be covered by a request parameter like this (it's just a rough sample - just to give a better idea, there are surely better ways to represent the request):

{
   objectIds: [ id1, id2 ],
   permissions: ["perm1", "perm2"],
   user: "myuser"
}

The previous request would be generated by the front end when it displays a table containing 2 lines (object id1 and object id2), and when the user can potentially perform 2 actions for a given line (the two actions being represented by perm1 and perm2 permission).

Depending on the response from the API, the actions for each line will be enabled or disabled.

Thanks

gonzalad avatar Sep 01 '22 22:09 gonzalad

@gonzalad Okay. Supporting batch checks of multiple objects for the same permission will be doable from an internal perspective after https://github.com/authzed/spicedb/pull/777 is merged; I suppose we could look into a BulkCheck API that allowed for a set of permissions as well, and just dispatched in parallel

josephschorr avatar Sep 01 '22 23:09 josephschorr

#777 is now merged

NOTE: This is not available as a public API yet; this is simply an internal change that could facilitate a bulk check API publicly in the future

vroldanbet avatar Sep 22 '22 11:09 vroldanbet

Is this available as a public API now?Thanks

pathing avatar Oct 09 '22 06:10 pathing

@pathing #777 was an internal-only change for performance improvements. There is no externally available bulk checking API as of right now

josephschorr avatar Oct 09 '22 17:10 josephschorr

Any plans for this?

@pathing #777 was an internal-only change for performance improvements. There is no externally available bulk checking API as of right now

pathing avatar Oct 11 '22 03:10 pathing

@pathing Tentative plans, yes, but still determining the best way to do so

josephschorr avatar Jan 17 '23 19:01 josephschorr

Questions for discussion:

  1. Maximum size of the batch?
  2. Should the batch check API be streaming in response, such that we return results as they are computed?

josephschorr avatar Jan 17 '23 19:01 josephschorr

On point 2, that sounds sane to me. It'd match the behavior of other bulk-ish endpoints (e.g. ListResources) and support a larger set of check results.

[EDIT] Though now that I think about it, it'd be convenient if the request and the response were in the same order from the perspective of consuming code, since it makes associating the pieces of the response easier.

Additionally, our use case would be pretty much entirely supported by a request shape that has a single subject and permission and then varies over the resource ids.

reify-tanner-stirrat avatar Jul 12 '23 13:07 reify-tanner-stirrat

This is now in active development here: https://github.com/authzed/spicedb/pull/1453

josephschorr avatar Aug 07 '23 21:08 josephschorr

@josephschorr thanks for the update 👍 just to verify: this is currently implemented for different objects, not different permissions, right?

I ask bc I think of a meta-authz case where different permissions could become handy when you e.g. want to check "user is able to delete file in folder, but only if they have write rights on the folder" or sth

DGuhr avatar Aug 16 '23 08:08 DGuhr

@DGuhr its implemented for any combination, but only optimized for different objects

josephschorr avatar Aug 16 '23 14:08 josephschorr

This is great, when can we see this in a release tag?

kushsharma avatar Aug 18 '23 17:08 kushsharma

Great job! Is there any sort of benchmark or any idea of the perf improvement brought by bulk-checking? :)

williamdclt avatar Sep 06 '23 21:09 williamdclt

This is great, when can we see this in a release tag?

Went out in v1.25.0

Is there any sort of benchmark or any idea of the perf improvement brought by bulk-checking? :)

The major perf improvement today will be if using the bulk check to check the same permission, on the same subject, for different resources: in that case, the system will auto-batch those checks into a single check of up to 100 checks at once, and run them as a single dispatch tree. This is already done internally for subproblems, but is now accessible via bulk check

josephschorr avatar Sep 06 '23 22:09 josephschorr