|
1 | 1 | import { Callout } from 'nextra/components' |
2 | 2 |
|
3 | | -# AuthZed Materialize (Early Access) |
4 | | - |
5 | | -AuthZed Materialize works with AuthZed Dedicated and is inspired by the Leopard index component described in the [Zanzibar paper](https://zanzibar.tech/2IoYDUFMAE:0:T). |
6 | | -Much like the concept of a materialized view in relational databases, AuthZed Materialize supports SpiceDB permissions systems by precomputing permissions defined in your schema. |
7 | | - |
8 | | -By creating a materialized view of your permissions in a relational database, you can efficiently sort, search, and filter massive lists of authorized objects while leveraging the authorization computation capabilities of SpiceDB. |
| 3 | +# AuthZed Materialize |
9 | 4 |
|
10 | 5 | <Callout type="info"> |
11 | 6 | AuthZed Materialize is available to users of AuthZed [Dedicated] as part of an early access program. |
12 | 7 | Don't hesitate to get in touch with your AuthZed account team if you would like to participate. |
13 | 8 | </Callout> |
14 | 9 |
|
15 | | -[Dedicated]: ../guides/picking-a-product#dedicated |
16 | | - |
17 | | -## What Is AuthZed Materialize? |
| 10 | +AuthZed Materialize is inspired by the Leopard index component described in the [Zanzibar paper](https://zanzibar.tech/2IoYDUFMAE:0:T). |
| 11 | +Much like the concept of a materialized view in relational databases, AuthZed Materialize is a service that computes how permissions change after relationships |
| 12 | +are written, when those relationships affect a subject's membership in a permission set or a set’s permission on a specific resource. |
| 13 | +These permissions are then streamed to your client, so that you can store them as a denormalized table, and then do operations like searching, sorting, and filtering much more efficiently. |
18 | 14 |
|
19 | | -Materialize streams computed permission updates to a client. |
20 | | -Updates occur after a relationship is written that affects a subject's membership in a permission set or a set’s permission on a specific resource. |
21 | | -The intent is for users to process these updates and store them to form a precomputed and denormalized view of SpiceDB permissions. |
| 15 | +AuthZed Materialize allows you to: |
22 | 16 |
|
23 | | -## When To Use AuthZed Materialize? |
| 17 | +- speed up `CheckPermission` and `CheckBulkPermissions` |
| 18 | +- speed up `LookupResources` and `LookupSubjects`, especially when there is a large number of resources |
| 19 | +- build authorization-aware UIs, e.g. by providing a filtered and/or sorted list of more than several thousand authorized objects |
| 20 | +- perform ACL filtering in other secondary indexes, like a search index (e.g. ElasticSearch) |
24 | 21 |
|
25 | | -If you need to provide a filtered and/or sorted list of more than several thousand authorized objects or if you need an authorization-aware search index, you probably need Materialize. |
26 | | - |
27 | | -The primary use case for Materialize is to denormalize computed permissions into systems that excel at data retrieval operations like searching, sorting, and filtering. |
| 22 | +[Dedicated]: ../guides/picking-a-product#dedicated |
28 | 23 |
|
29 | | -There are some authorized object listing scenarios where [LookupResources] or [LookupSubjects], without Materialize, can return a response without a large computational cost. |
30 | | -Those scenarios include: |
| 24 | +## Limitations |
31 | 25 |
|
32 | | -1. Paginating through a list of authorized objects without sorting or filtering ([LookupResources] supports cursor-based pagination, but the list of objects is returned in a non-deterministic order) |
33 | | -2. Listing a small set (in the realm of thousands) of ordered or filtered objects. |
| 26 | +If there are: |
34 | 27 |
|
35 | | -If you do make a [LookupResources] or [LookupSubjects] request with a significant computational cost, you can expect the request to be slow and to use a large number of system resources, leading to slower response times for other queries. |
| 28 | +- [Caveats] |
| 29 | +- [Wildcard] subject types |
| 30 | +- [.all] |
36 | 31 |
|
37 | | -## Current Limitations |
| 32 | +on the path of permissions computed by Materialize, it will error out. |
| 33 | +However, your schema can still include them. |
38 | 34 |
|
39 | | -- [Caveats](https://authzed.com/docs/spicedb/concepts/caveats) are not supported on the path of permissions computed by Materialize |
40 | | -- [Wildcard](https://authzed.com/docs/spicedb/concepts/schema\#wildcards) subject types are not supported on the path of permissions computed by Materialize |
| 35 | +[Caveats]: https://authzed.com/docs/spicedb/concepts/caveats |
| 36 | +[Wildcard]: https://authzed.com/docs/spicedb/concepts/schema\#wildcards |
| 37 | +[.all]: https://authzed.com/docs/spicedb/concepts/schema\#all-intersection-arrow |
41 | 38 |
|
42 | | -You can still use both Caveats and Wildcards, so long they are not part of the path to the permissions you've asked Materialize to query. |
| 39 | +[Dedicated]: ../guides/picking-a-product#dedicated |
43 | 40 |
|
44 | 41 | ## Client SDK |
45 | 42 |
|
|
0 commit comments