Joey
09/07/2025, 2:21 AMsmithp4ntz
09/07/2025, 2:22 AMsmithp4ntz
09/07/2025, 2:23 AMJoey
09/07/2025, 2:26 AMJason H
09/07/2025, 2:26 AMJoey
09/07/2025, 2:26 AMyetitwo
09/07/2025, 2:29 AM--explain
flag on zed
calls - it can show you the path by which a user was (or wasn't) granted access. i don't think it will compare it to the entire schema as it's currently implemented - it will only tell you where the path starts and ends.
otherwise my usual approach is to manually trace based on reading the schema and issuing readrels to check hops. this could be a nice enhancement for zed, though.Jason H
09/07/2025, 2:45 AMyetitwo
09/07/2025, 2:45 AMyetitwo
09/07/2025, 2:46 AMJason H
09/07/2025, 7:36 AMyetitwo
09/07/2025, 1:18 PMJason H
09/07/2025, 1:20 PMverdverm.com
09/09/2025, 6:39 AM<space>/user:<id>
on all resources? Can I use that for partitioning relations in the same database / spicedb instances?verdverm.com
09/10/2025, 1:58 AMJoey
09/10/2025, 2:40 AMseanxiang
09/10/2025, 4:37 AMauthzed-py
release 1.22.0
might have been broken. I've raised an issue [here](https://github.com/authzed/authzed-py/issues/280). We are currently pinning to an earlier version as a workaround but would appreciate a fix at some point. Thank you!Mohammed
09/11/2025, 9:40 AMMohammed
09/11/2025, 9:54 AMMohammed
09/11/2025, 9:55 AMverdverm.com
09/13/2025, 5:56 PMzed preview schema compile
). This one file replaces all the other zed files in that directory (_at.zed
is the previous schema compiled from all the resource.zed files)
- https://github.com/blebbit/atproto/blob/main/packages/pds/src/authz/spicedb/schema/atproto.cue
- https://github.com/blebbit/atproto/blob/main/packages/pds/src/authz/spicedb/schema/atcue.zedChung
09/15/2025, 7:27 AMsh
spicedb migrate head --datastore-engine=postgres --datastore-conn-uri='postgres://user:-.$[_@localhost:5432/spicedb?sslmode=disable'
7:25AM ERR terminated with errors error="unable to create migration driver for postgres: cannot parse `postgres://user:xxxxxx@localhost:5432/spicedb?sslmode=disable`: failed to parse as URL (net/url: invalid userinfo)"
Conviley
09/15/2025, 12:51 PMtypescript
definition document_database {
relation project_database: project_database
relation organisation_database: organisation_database
permission view = ...
}
definition document {
relation document_database: document_database;
relation viewer: user;
permission view = doucment_database->view + viewer & document_database->project // i tried this but it does not work also it does not make sense. What would it even mean to intersect `viewer` and `document_database->project` it probably becomes empty set?
}
is there some way to express that a user has view permission if they have one of
1. they have document_database->view
2. viewer
and not document_database->organisation_database (alternatively viewer
and the document_database->project relation exists)
i.e they have view access only if
1. they can view the database that the document belongs to (trivial just document_database->view)
2. or they are related via `viewers`and the document_database is a project_database. (organisation database documents will not be shared with users who are only `viewer`s)Chung
09/16/2025, 12:33 AMspicedb
in production?
Say I followed [the instructions](https://authzed.com/docs/spicedb/getting-started/install/debian#installing-spicedb-using-apt-get) to install spicedb on my Debian box. How should I start spicedb
so that it act as a daemon/service and it can auto restart upon crash?
in dev, I simply do
sh
spicedb serve --grpc-preshared-key 12345678 \
--datastore-engine=postgres \
--datastore-conn-uri="postgres://postgres:postgres@localhost:5432/spicedb?sslmode=disable"
Joey
09/16/2025, 12:50 AMsp132
09/16/2025, 7:13 AM--dispatch-cache-num-counters
flag (which I'm setting with SPICEDB_DISPATCH_CACHE_NUM_COUNTERS
env var). In my testing it doesn't have any effect at all - whether it's 1 or 1000000.
I've prepopulated the database with 10000 users and 10000 grants (1 to 1 relation) and running a following scenario on them:
yaml
{{- range $j := enumerate 2000 }}
---
name: "min latency check"
weight: 80
steps:
- op: CheckPermission
resource: core/geohash_grant:{{ $j }}
permission: view
subject: core/user:{{ $j }}
consistency: MinimizeLatency
expectNoPermission: false
---
name: "fully consistent check"
weight: 20
steps:
- op: CheckPermission
resource: core/geohash_grant:{{ $j }}
permission: view
subject: core/user:{{ $j }}
consistency: FullyConsistent
expectNoPermission: false
{{- end }}
On a screenshot there are couple of annotations:
- a first one is where I set SPICEDB_DISPATCH_CACHE_NUM_COUNTERS
to 1
- a second one is where i set SPICEDB_DISPATCH_CACHE_NUM_COUNTERS
to 1000000
- a third one with improvement is change to datastore quantization interval from 5s to 15s
- a fourth one where I've removed fully consistent check from the Thumper script
- a fifth one - quantization interval is set to the default value of 5s again
LFU cache metrics (second screenshot) show a much higher hitrate (although SPICEDB_DISPATCH_CACHE_NUM_COUNTERS
doesn't seem to have an effect on it either).
Can someone explain what SPICEDB_DISPATCH_CACHE_NUM_COUNTERS
is suppose to be doing please?
https://cdn.discordapp.com/attachments/844600078948630559/1417407970375110686/image.png?ex=68ca5f8a&is=68c90e0a&hm=8e317f384c0b67d17f398af6a1d8c87b1212b731e882fa02cfa2dc7ba5ba9b31&
https://cdn.discordapp.com/attachments/844600078948630559/1417407970945273856/image.png?ex=68ca5f8a&is=68c90e0a&hm=00c8718de1b94354e10492461e08413b1bd174a7bae0f94a278e407a5d73de58&verdverm.com
09/16/2025, 7:55 PMts
//
// DUAL WRITE PROBLEM
//
await dualWriteTransaction({
ctx,
repo: repoDid,
// (DWP/1) writes to the repo database
actorOps: async (actorTxn: ActorStoreTransactor) => {
// space (self/profile) record
actorTxn.space.insertRecord({
uri: spaceRecord.uri,
space: spaceRecord.uri.space,
collection: spaceRecord.uri.collection,
rkey: spaceRecord.uri.rkey,
cid: spaceRecord.cid,
record: spaceRecord.record,
did: reqDid,
})
// space (owner/parent) record
actorTxn.space.insertRecord({
uri: spaceRelation.uri,
space: spaceRelation.uri.space,
collection: spaceRelation.uri.collection,
rkey: spaceRelation.uri.rkey,
cid: spaceRelation.cid,
record: spaceRelation.record,
did: reqDid,
})
},
// (DWP/2) writes to the authz service
authzOps: async (spicedbClient) => {
await createRelationship(spicedbClient, resource, relation, subject)
},
})
// TODO, (DWP/3) background reconciliation process
Conviley
09/17/2025, 8:20 AMGribben
09/17/2025, 12:48 PMtonnenpinguin
09/17/2025, 1:48 PMauthzed/spicedb:v1.45.4
in my local docker-compose setup without any issues.
For reference I attached the startup log output.
When my application is trying to establish a grpc connection with spicedb all I see is timeouts.
https://cdn.discordapp.com/attachments/844600078948630559/1417869914521206794/message.txt?ex=68ccb682&is=68cb6502&hm=365eecfb402485e6aa5a373a79a1d260b7b107885780f6034fefaad6bcc954fc&