https://authzed.com logo
Join Discord
Powered by
# spicedb
  • y

    yetitwo

    05/21/2025, 9:01 PM
    but can you explain more of what you'd like to see?
  • y

    yetitwo

    05/21/2025, 9:01 PM
    is it an assertion you want?
  • j

    Joey

    05/21/2025, 9:18 PM
    you can do it from the
    zed
    tab
  • t

    Tim

    05/21/2025, 9:33 PM
    i want to validate if user has the relation to all the resources i expect. assertTrue also starts with a resource like 'document:doc1....' , wondering if there was a way to say 'user:user1#...'
  • j

    Joey

    05/21/2025, 10:28 PM
    no; you can use expected relations for that but it is still resource -> all subjects
  • t

    Tim

    05/21/2025, 10:59 PM
    is there no other way to assert / query based on user in the playground?
  • j

    Joey

    05/21/2025, 10:59 PM
    assertions are always a single resource + permission + subject
  • Hello, i need help with modeling the
    t

    Tim

    05/21/2025, 11:13 PM
    Hello, i need help with modeling the schema to support my usecase I have a list api /accounts that returns a list of accounts. I have two types of users, 1) Global user 2) User within a territory. For 1), /accounts should return all the accounts. For 2), /accounts should return the accounts mapped to the user's territory. I have a
    read
    permission and
    read_by_territory
    . How do i merge them into a single permission? I tried using caveats but didn't succeed. Any help is greatly appreciated. definition user {} definition account { relation location: territory relation reader: user permission read = reader permission read_by_territory = read & location->assigned } definition territory { relation assigned_to: user permission assigned = assigned_to }
    y
    • 2
    • 2
  • n

    Nixon

    05/22/2025, 4:18 AM
    Hey folks, we're hitting an error with SpiceDB Serverless: 'CheckBulkPermissions is not yet supported in SpiceDB Serverless'. Does anyone know if there's a timeline for when this feature will be implemented in Serverless, or if there are any workarounds we should consider in the meantime?
  • j

    Joey

    05/22/2025, 4:40 AM
    There is, at present time, no scheduled timeline to add support for it
  • j

    Joey

    05/22/2025, 4:41 AM
    the recommendation remains to run standard checks in parallel
  • n

    Nixon

    05/22/2025, 1:14 PM
    Thanks @Joey . Will do that
  • How can I apply jobs?
    l

    LuckyBaymax

    05/22/2025, 4:35 PM
    How can I apply jobs?
    y
    • 2
    • 1
  • Hi folks!
    g

    gsimas

    05/22/2025, 5:58 PM
    Hi folks! I've began noticing tons of "context canceled" errors on Datadog traces coming from the dispatch service. Is this expected? Unsure if this has been asked before, so apologies if this information is already available elsewhere. We do not have dispatch cluster enabled, in case that's relevant
    y
    v
    • 3
    • 6
  • How does SpiceDB compare to Keycloak's
    v

    v.k

    05/23/2025, 9:24 AM
    How does SpiceDB compare to Keycloak's authorization functionality? If possible, how would they work together? Thanks
    y
    m
    +2
    • 5
    • 6
  • g

    Guillaume Berche

    05/23/2025, 2:33 PM
    Hi, I'm trying to test spicedb-kubeapi-proxy from https://github.com/authzed/spicedb-kubeapi-proxy using the default sample rules at https://github.com/authzed/spicedb-kubeapi-proxy/blob/main/deploy/rules.yaml (and contributing learnings into https://github.com/authzed/spicedb-kubeapi-proxy/issues/48 ) I'm currently blocked with the api proxy hanging while responding to k8s api requests generated from "kubectl create namespace a-namespace". With -v9 verbose logging, the proxy logs confirm the upstream backend POST call suceeded. I'm running with embedded spicedb and in memory sqlite. Triggering a thread dump by sending a SIGQUIT signal shows on thread apparently waiting for the async relations in the github.com/authzed/spicedb-kubeapi-proxy/pkg/authz.(*AuthzData).FilterObject(0xc00095f3b0, 0xc000d99268, {0xc000245880, 0x210, 0x380}) call . Is this the right place to exchange on usage of the proxy ? I see the discussions are not yet enabled onto https://github.com/authzed/spicedb-kubeapi-proxy/ and wonder whether an issue is more appropriate. EDIT: I submitted additional diagnostic details into https://github.com/authzed/spicedb-kubeapi-proxy/issues/106 Thanks in advance for your help.
  • How can we restricted api access in
    d

    demonslayer134

    05/26/2025, 6:28 AM
    How can we restricted api access in spice db , or using token or what ,how can we implement restricted api access.
    s
    v
    • 3
    • 10
  • b

    Bee

    05/27/2025, 5:35 AM
    Hi team, I'm really interested in spiceDB and wanted to share a few ideas from my perspective as an AI/ML engineer working on scalable backend systems. First off, I've been impressed by authzed's scalability—handling up to a million qps is no small feat. that said, I've noticed some performance inconsistencies and latency spikes during high-traffic periods or after feature rollouts. This might be a great opportunity to explore ML-driven anomaly detection across metrics like latency, throughput, and error rates. It could help proactively surface issues before they affect users. On a similar note, predictive analytics could be valuable for forecasting capacity needs and fine-tuning resource allocation—especially as systems scale. I also see potential around schema design and migration. while the existing CI/CD support for schema validation is solid, complex policies can still introduce subtle bugs or lead to unintended access patterns. for teams unfamiliar with zanzibar-style models, this can be a real hurdle. It might be worth exploring AI-powered tooling that can analyze application models and suggest optimized spiceDB schema definitions, or even assist with migrating legacy auth systems—automating some of the heavy lifting and reducing error-prone manual effort. I’ve got a few other ideas as well and would be happy to chat or brainstorm further if that’s helpful. Thanks for all the great work you’re doing—big fan of the project.
  • c

    caifu

    05/27/2025, 6:52 AM
    how can i connect localhost spicedb
  • c

    caifu

    05/27/2025, 6:53 AM
    i's parameter is addr=:9090 insecure=true service=metrics
  • Hey guys , i have my spicedb in k8s and
    d

    demonslayer134

    05/27/2025, 7:14 AM
    Hey guys , i have my spicedb in k8s and and have schema and relations uploaded , when i am trying to write new relationship and then delete it using grpcurl commands,its not reflecting in my database postgres , what could be the issue for it?
    j
    e
    • 3
    • 3
  • d

    demonslayer134

    05/27/2025, 9:05 AM
    I have done write relationship and check permission and then deleted in check permission again but it's not behaving fully consistent as documented in docs
  • 👋 Hello yall, how're things going?
    p

    pepegar

    05/27/2025, 9:10 AM
    👋 Hello yall, how're things going? I'm seeing some strange behaviour in our SpiceDB that I wouldn't know how to debug. On sending a request like:
    Copy code
    zed permission lookup-resources document can_comment user:$uuid --page-limit 100
    (can comment is a permission backed by a relation that allows for user:*, just in case it makes any difference) We get a flamegraph that looks like this (see attached). The strange thing is that the sql queries occur during the 1st ~10ms of the request, but then the request hangs for 30s, until it times out on server side. Do you know what can be causing this? should we just discourage the use of lookup resources for wildcard-backed relations? https://cdn.discordapp.com/attachments/844600078948630559/1376849986460979313/CleanShot_2025-05-27_at_10.08.06.png?ex=6836d2f9&is=68358179&hm=d7e08c9480a952fb7138c84293967c4f0e5026cece0c7090bdc934ba636fa971&
    y
    j
    • 3
    • 4
  • Hi all. We are using the SpiceDB
    t

    Tom C

    05/27/2025, 2:05 PM
    Hi all. We are using the SpiceDB operator for our deployment. We're also using an nginx ingress infront of the spiceDB cluster. What we are observing is if a pod is shutdown and a new pod spun up to take its place, for a few minutes after, we are seeing errors like
    rpc error: code = DeadlineExceeded desc = received context error while waiting for new LB policy update: context deadline exceeded
    We have the gRPC shutdown grace period set to 5s currently.
    y
    • 2
    • 5
  • y

    yetitwo

    05/27/2025, 2:26 PM
    because the storage doesn't work the way you think it does
  • y

    yetitwo

    05/27/2025, 2:26 PM
    in order to be able to call the API with
    at_exact_snapshot
    , postgres needs to keep around rows that have been deleted, so deletes don't actually remove rows from the database
  • y

    yetitwo

    05/27/2025, 2:26 PM
    they mark the row as deleted using the
    deleted_xid
    column
  • b

    B

    05/27/2025, 3:41 PM
    Is there a formal grammar description for the schema language?
  • y

    yetitwo

    05/27/2025, 3:48 PM
    like an abstract specification? no, not currently.
  • Hi guys!
    t

    Toi

    05/27/2025, 5:25 PM
    Hi guys! Is there a way I can propagate a traceId into the requests and have them appear inside the logs?
    y
    • 2
    • 1