https://authzed.com logo
Join Discord
Powered by
# spicedb
  • j

    Joey

    06/11/2025, 5:21 PM
    the folder is the subject
  • l

    Liam Costello (Flowers-Software)

    06/11/2025, 5:49 PM
    Thank you! Makes sense
  • t

    Toi

    06/13/2025, 6:17 PM
    Actually, I dont think the zed cli will work within my pipeline. I think I will have to use the rest endpoint to write the schema. Is there a simple way to convert the .zed file into a string that the rest endpoint accepts?
  • j

    Joey

    06/13/2025, 6:29 PM
    It’s the same string
  • t

    Toi

    06/13/2025, 10:03 PM
    Another question hehe How much more performant is lookUpSubjects and lookUpResources compared to readRelationships? Or are they similar?
  • j

    Joey

    06/14/2025, 12:53 AM
    if reading a single relation, same performance. otherwise, LR/LS is strictly less performant, as it would have to read multiple relations, vs read which is a single relation
  • t

    Toi

    06/14/2025, 2:54 AM
    Thanks! And overall, what are the caveats of using readRelationships? I understand it should be avoided when possible, but when does it become problematic? Is it a factor of how many relationships the database have in total?
  • j

    Joey

    06/14/2025, 3:00 AM
    I mean, what are you trying to accomplish?
  • t

    Toi

    06/14/2025, 3:01 AM
    So I have an RBAC modeled in spicedb. Users can be member of roles. To get all roles a user is member of, I]m currently using readRelationships. Could that eventually become a problem?
  • j

    Joey

    06/14/2025, 3:03 AM
    so long as you use a limit+cursoring, it should be fine
  • j

    Joey

    06/14/2025, 3:03 AM
    at some point it will become problematic for the caller, but SpiceDB should be okay with it: its a simple direct lookup
  • j

    Joey

    06/14/2025, 3:04 AM
    vs LR which is computed
  • t

    Toi

    06/14/2025, 3:05 AM
    You mean problematic for the caller in the sense it starts returning too many relationships? Cause I dont think that will be my case
  • j

    Joey

    06/14/2025, 3:05 AM
    yup
  • t

    Toi

    06/14/2025, 3:06 AM
    Cool. I'll stick with it then! Thanks!
  • t

    Toi

    06/14/2025, 3:07 AM
    It shouldn't be a problem for the underlying database either, right? Not sure how these lookups (with readRelationships) are indexed
  • j

    Joey

    06/14/2025, 4:06 AM
    depends on what you're using as a filter
  • n

    n.ithin

    06/15/2025, 1:43 PM
    Do you have any recommendations for fully managed services or platforms to host SpiceDB? We are evaluating the product and were looking for someplace where I do not have to manage the infrastructure myself.
  • j

    Joey

    06/15/2025, 7:27 PM
    That's our primary business model: https://authzed.com/products/authzed-dedicated for dedicated installs and https://authzed.com/z/authzed-cloud-waitlist for the upcoming Cloud environment
  • Looking up indirect subjects, our schema
    j

    JoostJoh

    06/16/2025, 12:29 PM
    Looking up indirect subjects, our schema represents something like this:
    Copy code
    definition user {}
    
    definition person {
        relation owner: tenant
        relation representation: user
    
        permission view = owner->member
    }
    
    definition tenant {
        relation member: person#representation
    }
    Now we are seeing an big performance hit looking up if user:a can see person:b, when an tenant has a lot of members (> 10k). It follows the following path:
    Copy code
    ✓ person:william view
    └── ✓ tenant:main member
        └── ✓ person:jan,john,joost,william representation
            └── user:3
    It first looks up all the people that are a member of our tenant, then it loops through all the people until it finds the user (representation) with id 3. Any recommendations on how we could handle this lookup more efficiently? We would like to keep our abstraction of an user representing a person instead of making users direct members of the tenant.
    y
    j
    • 3
    • 24
  • I have upgraded spicedb from 39 to 44.4
    t

    thanos_alas

    06/18/2025, 9:48 AM
    I have upgraded spicedb from 39 to 44.4 and in logs I can see there are continuous db call insertions to relation_tuple_transaction How to stop these calls and why is it happening
    v
    • 2
    • 10
  • b

    braden

    06/18/2025, 1:27 PM
    I've been told that I need to run the
    spicedb datastore repair
    command on my postgres read replicas before updating my spiceDB deployment to use them. Two questions: * Is this command safe to run multiple times? * Will I need to run this command again if we upgrade our read replica instances in AWS?
  • y

    yetitwo

    06/18/2025, 2:03 PM
    1. yes 1. you shouldn't
  • b

    braden

    06/18/2025, 2:04 PM
    Awesome. Thanks a bunch!
  • j

    jzelinskie

    06/18/2025, 7:39 PM
    if you want to know how/why you need to run it that command, it's in my recent POSETTE talk:

    https://www.youtube.com/watch?v=_f6fHy4DWWM▾

  • r

    romansoldiers

    06/18/2025, 7:41 PM
    hey folks! We are evaluating using SpiceDB at our company and I wanted to clarify something -- without the enterprise license you cannot have a way to do any sort of role based access control on the SpiceDB APIs themselves, is this right? From my reading you have to use PSKs, which would mean that any workload can have more then just "check permissions", it could also say change the policy, etc. If this is right then how is the open source version supposed to be hosted? Is the idea that we have to build some kind of service to front SpiceDB to ensure only the "check permission" API is allowed to be called by workloads (or obviously we can also get the enterprise version -- which isn't out of the question, just trying to understand).
  • j

    jzelinskie

    06/18/2025, 7:51 PM
    That's correct. The PSKs in open source SpiceDB are solely used for authenticating the service to SpiceDB. Once you've authenticated, you have full access to the SpiceDB. SpiceDB Enterprise (self-hosted) and AuthZed's Dedicated Cloud platform (managed) ship with the ability to control what each PSK can actually perform on the API. If you want this functionality, we'd obviously prefer you use one of the paid products otherwise you'd have to do as you say and build something in front of SpiceDB which further adds latency and additional complexity that could lead to privilege escalation if misconfigured/buggy.
  • r

    romansoldiers

    06/18/2025, 8:09 PM
    thank you so much! that makes total sense
  • y

    yetitwo

    06/18/2025, 9:42 PM
    the "fronting service" is how we did it at my old company
  • r

    romansoldiers

    06/18/2025, 10:12 PM
    thanks! yeah that makes sense