https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
h
Is this a theoretical problem or a problem you’re facing today?
w
The volume of records is theoretical for today, but the actual problem is real right now
But once we hit production, those volume of records will be real pretty quickly
Right now we handle this by keeping permissions for resources stored directly in the resource, so they can be part of a query. And then we separately store our user/group relationship so that I can first ask "what group ids can a user read/write/whatever" and then take that relatively tiny list and plug it into the query for our DB. Like, show all dashboards matching the user query AND that has readers that include either the user id or one of these 10 group ids. But that only seems to work for our own custom authorization system and ideally we'd like to move to third-party.
I did not see a strategy with Ory to ask for a list of every group a user is a member of (and recursively), but that also leads me to believe the mechanism I'm employing isn't best practices
s
either way works, depends on the result sets you expect (hits of search vs hits of positive permission results) we have a bulk permission check in the backlog for such use-cases
also, even if you have 10k results overall, you don't return all of them but paginate right? then you can also do the permission-checks lazily
w
Sure, but a page from Ory would contain 99% results that don't match the search query, and a page from our domain DB would contain 99% results that don't match the permissions query. Its a lot of shipping data that doesn't then match anything, and a lot of iteratively querying pages until we have a full actual page of results that match both permissions and the search query
s
yes exactly, so if you expect only a few matches from the db to be returned, first do the (paginated) search there, and then filter on the results if you expect a user to only have access to a few object, get them and then search only those
h
Thank you David and Patrik! That’s definitely an interesting use case. There are also some features in Ory Keto / Ory Permissions that we have on the roadmap but not yet actively working on. The problem primarily is that we have a lot of work in other areas from customers which is why we haven’t prioritized features that could solve these use cases natively. I’m not sure in which context you are but commercial interest always helps with getting these things shipped sooner than later. I’d be very interested to hear what you’re up to, maybe we should set up a call (or here in written form) and see if Ory can solve your problem. Alternatively there are of course also these architectural principles which Patrik mentioned that can make it work.
w
Right, but I'm saying both could have massive numbers of results
@high-optician-2097 absolutely, would be happy to hop on a call. We're definitely looking at commercial use
h
Ok, the easiest way is to choose a date at https://meetings-eu1.hubspot.com/aeneas/contact - ping me briefly when that’s done so i can provide some context for the people involved / cc @victorious-baker-16631 @kind-fireman-77262
w
Done for 11:30 am ET today
@high-optician-2097 ^
👍 1
h
i won’t be able to make that call but the others will
w
Is there another time that would be better for you?
h
for me tomorrow would be better! but you can do the call today with tommy also
w
@high-optician-2097 ok great, I moved to tomorrow at 12:30 PM ET
👍 1
Hi @high-optician-2097, unfortunately the call didn't really touch on this much -- Tommy wasn't too sure about it. I'd appreciate any thought on it that you have, because its an important barrier to using your identity authz piece for us
h
Hi David, sorry that I couldn’t make it yesterday, there were some important topics that took my full focus and I lost track of time
w
No worries. Is there another time we could schedule specifically with you?
Hey @high-optician-2097 and @rich-thailand-93889, so I understand that you're pretty busy and that we're not a large paying client yet. But we're really interested in moving forward with an authentication provider ASAP. I understand that things come up and you weren't able to make that meeting, but, @prehistoric-boots-58621 and I are also getting no replies to our emails, no response here on Slack threads, missed meetings, etc and its painting a picture that you aren't really serious about new customer acquisition right now. I think we've made it pretty clear that we'd become an enterprise customer if the tech proves out, and we have even asked for a quote for custom feature development. ORY was the frontrunner in our evaluation of different auth services so we've been spending quite a lot of man hours on it. If you aren't interested in our business, please let us know so we can spend our time focused on a different service.
r
Hey David, your email inquiry is on my queue for today. We work on request chronologically to ensure everyone is provided with answers fairly and equally. I don't believe we have had a missed meeting. Could you please clarify? I will be happy to reschedule if there is any confusion. Thank you for your patience.
w
Was referring to the fact that we scheduled a meeting at a time specifically so @high-optician-2097 could join but then it was skipped without warning/a request to reschedule. That meeting then had basically no use.
r
I believe there was a misunderstanding. Sorry about that. I have replied to your questions raised during the meeting via email.
9 Views
Open in Slack
PreviousNext
Powered by