we looked at zanzibar yesterday, where a user A has access to an object B if there's a path between them in the access graph. let's walk through how they make this graph reachability problem efficient. - ThreadSky

About ThreadSky

sujayakar.bsky.social • 96 days ago

we looked at zanzibar yesterday, where a user A has access to an object B if there's a path between them in the access graph. let's walk through how they make this graph reachability problem efficient.

Comments

sujayakar.bsky.social•96 days ago

checking path reachability is difficult: users may have access to millions+ of objects, and doing a naive depth-first search in the object graph on every access would be really expensive.

sujayakar.bsky.social•96 days ago

zanzibar addresses this with their "leopard indexing" system. the core idea here is *to make assumptions about the structure of the access control graph*, and not have to solve the general graph reachability problem.

sujayakar.bsky.social•96 days ago

I've drawn a representative access control graph, where we start with user A and traverse the graph to all of the objects reachable from A.

sujayakar.bsky.social•96 days ago

I've highlighted the nodes *one step back* from each final object. zanzibar assumes that this set has relatively low cardinality.

sujayakar.bsky.social•96 days ago

intuitively, each user is a member of a group, which may be nested in another group, which may then own a project. projects may have many documents, but the set of all projects visible to a user should be relatively small.

sujayakar.bsky.social•96 days ago

with this assumption, their indexing system precomputes the set of highlighted nodes reachable from each user. then, for each object, it also precomputes the set of all highlighted nodes that are one step away.

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply