perf & load testing in authorization systems. Why k6 How Fast vs How Well 01 05 04 02 The Good, the Bad & the Ugly 06 03 The Problem Tools Analysis Benchmark vs. Perf Conclusions Real World Scenarios
databases- : If you want to learn the nitty-gritty details of a distributed system, get familiar with the release process. Release process =! Deployment
permission checks remain fast and stable under realistic workloads. It provides continuous feedback on the impact of code changes, ensuring that any performance regressions are caught immediately. This helps identify even minor slowdowns that can degrade dev experience or expose security gaps
performance/load tests are equivalent since both measure metrics such as response time and throughput Benchmarks • Isolated code paths in controlled environments • Measures raw speed (latency, throughput) • Offers a best-case performance snapshot Perf/Load • Simulates real-world concurrency and multi-service interactions • Monitors system stability, error rates, and resource usage • Identifies bottlenecks and regressions under stress
a single permission check on an optimized Postgres instance or Running an isolated query against SpiceDB to record the maximum throughput (queries-per-second) when no other operations are active. Perf/Load Simulating 1,000 concurrent checks across multiple resources to capture latency distributions and identify bottlenecks. or Stress-testing cache invalidation by rapidly updating policies and then immediately querying permissions, exposing real-world delays.
exercise to illustrate the ideas shared on this presentation, simplified for brevity. These snippets aren’t comprehensive enough to describe the full capabilities of SpiceDB.
reaching 75 queries per second. The positive_checking function picks a random relationship from the dataset and performs a single permission check, isolating the operation to provide a clear measurement of raw latency and throughput under controlled conditions.
It calls client.invoke to send a gRPC request to the PermissionsService/CheckPermission endpoint. The request includes data specifying: The resource, the permission to check & the subject. The test alternates between two scenarios: evenly distributes different workloads across the user pool, simulating varied real-world interactions.
on write operations. It generates a random batch of updates to simulate concurrent writes and verifies that each batch is processed successfully. The threshold ensures that 95th percentile write latency stays below 2000ms, capturing key performance metrics under stress.
or TS 😛 • built-in support for detailed metrics (e.g., latency distributions, error rates, throughput), but you can also add your own. Good for diagnosing performance regressions. • Easy to understand tradeoffs • Open Source ❤ Why K6
differentiate between transient performance anomalies -or trade-offs!- and genuine regressions. We often need expert tuning and contextual understanding of production behaviours.
test can be to find the breaking point of your software, and plan around it: do we fix it? Do we work around it? How do we make sure we don’t hit those values in production? How the system degrades under load. Are we ok with it?
more stable releases. Setting up an environment that faithfully replicates prod* conditions and interpret the data to drive actionable insights. Know your system. Forget the testers vs. devs mentality. Benchmarks vs. Performance & load
need to be alive: constantly tweaking them based on real world scenarios with customers. Every post-mortem (or equivalent) is an opportunity to improve the project. Be patient.
fib
bkeepers
shpigford
csswizardry
tenderlove
sugarenia
honnibal
carmenintech
iamctodd
sstephenson
sergeychernyshev
jeffersonlam
