Question
Design permission-aware enterprise search: every user must only see documents they're authorized to access, where authorization comes from a complex ACL system (groups, nested groups, sharing, inheritance) over 500M documents and 200k users. The naive 'retrieve top results, then check each against the ACL service' (post-filtering) can return an empty or short page — you fetched 10 relevant docs but the user can see none of them — and hammers the ACL service. How do you make ranked results both relevant AND correctly access-filtered without leaking restricted documents?
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.