[keycloak-dev] User-managed permissions

Stian Thorgersen sthorger at redhat.com
Mon Mar 27 02:56:22 EDT 2017 

We do need to start stress testing this stuff and make sure it can hold up
to the load it needs to. That will have to be done prior to making authz
services supported.

On 23 March 2017 at 19:43, Pedro Igor Silva <psilva at redhat.com> wrote:

> I think a database still makes sense. What we put on top of that is the
> tricky part.
>
> AFAIK, that is what most of these social networks do, some of them use a
> database (e.g.: MySQL) but also different other things on top of it
> to avoid unnecessary hits. Usually these social networks are OK with
> eventual inconsistency. In our case, I'm not sure if we want to allow that.
>
> >From a database perspective there are some tricks like partitioning data.
> In addition with a good and smart cache layer on top of it.
>
> But yes, that is not something trivial to do considering the amount of data
> we can be managing. Hope we can start doing some prototypes soon and see
> how it goes.
>
> On Thu, Mar 23, 2017 at 12:35 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
> > I was wondering about the use-case when users manage permissions to
> > their own objects. It seems that proper support for this can be very
> > challenging for the amount of DB space.
> >
> > For example: I have 1000 documents and I have 1000 users. I want to be
> > able to define fine-grained permissions and be able to define that user
> > "john" is able to see document-1 and document-2, but not document-3 etc.
> > So I can end with up to:
> >
> > count of users * number of documents = 1000 users * 1000 documents =
> > 1000000 permission records in DB
> >
> > When authorization scopes (actions) come into play and I want to specify
> > that "john" is able just to "read" document-1 when "alice"  is able to
> > "read", "update" and "comment" on document-1, I may end up with 5
> > million objects in DB (assuming I have 5 actions).
> >
> > We can do something like divide documents into "groups" and grant the
> > permission just per group. But for example Google allows to group things
> > (you can put more photos into one photoalbum and share whole photoalbum
> > with user "john"), but also define fine-grained permission (share just
> > single photo with user "john").
> >
> > My estimation is, that using for JPA for save such data is likely not
> > feasible. And I bet that Google is really using something different :-)
> >
> > Maybe we need to restore Mongo or some other similar DB type for manage
> > this stuff? Or is it something where the "Nearby policy evaluation" can
> > help and permissions data would rather need to be saved by the
> > application itself?
> >
> > Marek
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list