Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A path to authorization #7

Open
auniverseaway opened this issue Jan 17, 2024 · 2 comments
Open

A path to authorization #7

auniverseaway opened this issue Jan 17, 2024 · 2 comments

Comments

@auniverseaway
Copy link
Member

auniverseaway commented Jan 17, 2024

Intro

This will be a bit of solutioning, so apologies in advance. This isn't meant to be prescriptive, it's only meant to illustrate how I think we could solve this. All other ideas are welcome.

Vocabulary

Authentication - We know who the person is.
Authorization - We know what the person can do.

Background

As of today, we use Cloudflare KV for authentication (technically a very light authorization) storage. This currently only exists at the org / bucket level. The user can either do everything in the bucket, or they cannot see / do anything. Part of the reason we used KV is that it seems to be more performant than finding an S3 JSON file to determine permissions.

And idea

I think this would need to be validated, but I almost wonder if we can expand the KV use for all descendants.

The idea would basically be:

  1. A user requests a path /adobecom/bacom/de/products/experience-manager/aem-assets.
  2. We use KV to descend down the tree to look for permissions.
  3. Lowest permission path wins.

Assumptions

From what I have seen in the wild on many projects, custom permissions do not typically go lower than 4-5 levels deep. We could even ignore org for certain requests that are below a site.

  1. Org
  2. Site
  3. Locale
  4. Sub-folder (drafts?)

In this scenario, we would descend until we don't find a KV that matches the sub-path. In theory, this would be more performant than trying to walk up the tree because a lot of the leafs will be null.

Other ideas

DynamoDB? S3 and see the performance implications?

Other notes

It would be good to get concrete about how fast KV is in comparison to the alternatives. My general hope is that we stay around ~300ms to deliver the response. In my, admittedly brief, explorations, I saw two S3 calls ballooning up to 500ms+.

\cc @bstopp @cazzaranjosh

@bstopp
Copy link
Contributor

bstopp commented Jan 17, 2024

What are the limitations in the size and number of KV entries allowed in a given "bucket"?

@auniverseaway
Copy link
Member Author

What are the limitations in the size and number of KV entries allowed in a given "bucket"?

None. It's infinite. See: https://developers.cloudflare.com/kv/platform/limits/

Somewhat related: we have a single KV for all orgs due to the Worker / KV binding in the wrangler.toml. I think part of this exploration should be:

  1. Separate out the session storage (the users) from the permissions KV... currently they are shared.
  2. See if we can move to a KV per org without sacrificing performance. My assumption is that we get some performance magic going the binding route, but if we want to mitigate risk, I think it would be more ideal that there's a 1:1 between KV store and customer... makes migrations easier, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants