https://authzed.com logo
Join Discord
Powered by
# spicedb
  • s
    It returns: 
    add-index-for-transaction-gc
  • how are you running it?
    j
    how are you running it?
    s
    y
    • 3
    • 24
  • Hello Guys.
    r
    Hello Guys. We are seeing some memory problems in our spiceDb related to OTEL. (image above) Has this problem been reported yet? I have seen that the latest versions of spiceDb is changing some of the OTEL libs & Middleware. We at v1.45.3. https://cdn.discordapp.com/attachments/844600078948630559/1421065745130979339/stitched_log.png?ex=68d7ae1b&is=68d65c9b&hm=b385a3535ac534c1578d0995b919607c4ccd1b3e494bd3bf5c8a02059ffbba8d&
    y
    • 2
    • 10
  • Is there a DSL<>JSON transformer available?
    m
    (This may be an XY problem where there's an underlying skill issue in writing a maintainable fine-grained + hierarchical schema) When adding a new capability to a hierarchical schema, it seems like one would have to define relations and permissions on each parent in the hierarchy. So can_create_project would be added to grant, project, team, organization, ... and each is checking parent->can_create_project The cloud modelling blog post shows an example of how granting multiple layers of parents some granular permission requires updates in multiple places https://authzed.com/blog/google-cloud-iam-modeling So at this point I imagined a JSON format that is managed programatically, where the output is transformed to 
    .zed
    for human validation, education, and so on. I'm curious how the team currently recommends building and maintaining these larger schemas, how often it leads to programatically producing 
    .zed
    files, and if those folks would like to write JSON but read 
    .zed
    instead.
    y
    v
    • 3
    • 16
  • I was wondering if you guys have written
    w
    I was wondering if you guys have written/recommend any particular migration tooling for schema changes - we've rolled one in house, but would prefer to go with something more official if it exists
    y
    • 2
    • 9
  • Hi!
    c
    Hi! I read in a previous thread that there is no notion/concept of cascading deletes of relationships, is this still the case and if so what is the best way to deal with this? Thanks!
    y
    • 2
    • 10
  • We’re adding permission management to
    m
    We’re adding permission management to our company’s system using SpiceDB. Instead of calling ReadRelationships for each individual relation, is there a way to pull back a large number of relations in one go?
    y
    j
    • 3
    • 2
  • LookupSubjects is unexpectedly recursive
    g
    Hello, When I use LookupSubjects to find all the roles and users who have access to the feature, it ends up giving me false positives (I think). I read that LookupSubjects walks the whole tree, but would it really return the users of the roles that have access to the feature? And if so, what should I use instead? This is how I'm using lookupSubjects, where I look for the subjectType of either role#member or user, to get all the roles or all the users.
    Copy code
    const rolesWithAccess = await lookupSubjects(companyId, {
        permission: "allow_access",
        resource: {
          type: "feature",
          id: feature,
        },
        subjectObjectType: "role",
        optionalSubjectRelation: "member",
      });
      const userIdsWithAccess = await lookupSubjects(companyId, {
        permission: "allow_access",
        resource: {
          type: "feature",
          id: feature,
        },
        subjectObjectType: "user",
      });
    Schema:
    Copy code
    /** give access to a specific user or role group */
    relation allow_access: role#member | user
    It first of all returns a list with the same role elements, which I guess is because multiple users have that role (This is not a big issue but perhaps is an indicator that I'm doing something wrong?). Secondly, even though I have not populated allow_access with any users it returns the users that have the roles which have access to the feature. I ultimately just wanted to figure out why the user has access, either by it's role or if the specific user has been granted access. Thanks in advance 🙂
    j
    • 2
    • 11
  • Has anyone integrated spicedb with
    h
    Has anyone integrated spicedb with authentik before, and is there any guides?
    y
    • 2
    • 7
  • Optimizing Latencies with SpiceDB's Dist...
    p
    Hello folks, I'm trying to wrap my head a bit around how spicedb dispatch works. https://authzed.com/blog/consistent-hash-load-balancing-grpc mentions that > SpiceDB dispatches to the next N "clockwise" nodes in the ring. This N is often called the spread. And, my understanding is that if N>1 , the request will be dispatched to N nodes, is that right? (BTW, is this were request hedging happens? we race these N requests to other nodes). The reason I'm wondering this is that I want to know how protected are we from having hot partitions in SpiceDB (not in the underlying cockroachdb), and my understanding is that, if we forward dispatch requests to N nodes, we'd be more protected than if we only dispatched to 1 node that could be congested.
    y
    • 2
    • 6
  • Hi Everyone. I am not understanding y my
    b
    Hi Everyone. I am not understanding y my assertion is failing. Can anyone help me please? https://play.authzed.com/s/eoNoF6H1oSwQ/assertions
    y
    j
    • 3
    • 5
  • s
    The errors returned from spicedb typically have a numerical error code, or at least from the nodejs client they do
  • s
    Error: 6 ALREADY_EXISTS
  • s
    is there an enum or place that describes what the known error codes are?
  • y
    yeah sec
  • y
  • s
    Does this get exposed from the client libs and I'm just not seeing it?
  • y
    typically yes
  • y
    it's in an enum somewhere
  • s
    ok
  • y
    is it the nodejs client you're talking about?
  • s
    yeah
  • y
  • y
    you should be able to compare those in your error handling logic
  • s
    yeah, I see it in the typescript, but I don't think its exported via anything in the common js. 
    https://github.com/authzed/authzed-node/blob/v1.1.1/src/index.ts
    This just re-exports v1. But I don't think 
    v1
    exports the error reasons. un less I'm just looking completely at the wrong thing
    Copy code
    var authzed = require('@authzed/authzed-node')
Object.keys(authzed.v1).sort().filter(name => (/^e/i).match(name))

[
  'ExpCaveat',
  'ExpCaveatParameter',
  'ExpCaveatParameterTypeChange',
  'ExpDefinition',
  'ExpPermission',
  'ExpRelation',
  'ExpRelationReference',
  'ExpRelationSubjectTypeChange',
  'ExpSchemaDiff',
  'ExpSchemaFilter',
  'ExpTypeReference',
  'ExpandPermissionTreeRequest',
  'ExpandPermissionTreeResponse',
  'ExperimentalComputablePermissionsRequest',
  'ExperimentalComputablePermissionsResponse',
  'ExperimentalCountRelationshipsRequest',
  'ExperimentalCountRelationshipsResponse',
  'ExperimentalDependentRelationsRequest',
  'ExperimentalDependentRelationsResponse',
  'ExperimentalDiffSchemaRequest',
  'ExperimentalDiffSchemaResponse',
  'ExperimentalReflectSchemaRequest',
  'ExperimentalReflectSchemaResponse',
  'ExperimentalRegisterRelationshipCounterRequest',
  'ExperimentalRegisterRelationshipCounterResponse',
  'ExperimentalService',
  'ExperimentalServiceClient',
  'ExperimentalUnregisterRelationshipCounterRequest',
  'ExperimentalUnregisterRelationshipCounterResponse',
  'ExportBulkRelationshipsRequest',
  'ExportBulkRelationshipsResponse'
]
  • y
    ah, you're right. that's an oversight on my part... lemme get a PR up for that. and at some point I want to make the exports more sane for this library so that there's less chance of this happening.
  • y
  • s
    Confirmed
  • s
    Thanks for the quick fix!
  • y
    sure thing!