https://authzed.com logo
Join Discord
Powered by
# spicedb
  • j

    Joey

    09/06/2025, 2:26 AM
    looks like it was copied without the escaping being taken into account
  • Caveats or Resources, how to decide?
    v

    verdverm.com

    09/06/2025, 11:17 PM
    I'm trying to represent users, groups, and resources over - DIDs (users) - AtURI (content-addressable resource ids:
    <did>/<space>/[nsid]/<rkey>
    ) [full schema](https://github.com/blebbit/atproto/blob/main/packages/pds/src/authz/spicedb/schema/atproto.zed) I have a resource type for each segment of the segments, with a parenting setup to support nesting/hierarchy, and each AtUri has an associate data record tied to it, except for
    nsid
    . They are only for structuring records and granting permissions, in OAuth scopes today, and content/methods tbd, that's what I'm working on. NSID are defined by any DID, it's a very dynamic list. There are
    nsid
    for queries and procedures that will never have records, but we still want to put permissions over them. Certain
    nsid
    are expected to have high numbers of records and storing the parenting relationship in spice, which seems inefficient? Are caveats something that can help me here? What if those caveats are large sets? The new way to specify OAuth scopes over the dynamic NSID is as a permission set https://github.com/bluesky-social/proposals/blob/main/0011-auth-scopes/README.md#permission-sets I image we need something similar for the custom roles that we want in the content permission system, and then have to reflect those within spice by making a number of calls, or a bulk input? (maybe one day even replace the OAuth permission setup and unify the two... #futurology)
    y
    • 2
    • 35
  • s

    smithp4ntz

    09/07/2025, 1:38 AM
    If I’m deploying the same service in Dublin, New Jersey, North Carolina can I get away with using PostgreSQL? What approaches do folks take?
  • s

    smithp4ntz

    09/07/2025, 1:40 AM
    Would I have to take care of atomic txg that span across all regions using something like Temporal Workflows to update individual SpiceDBs in PG?
  • j

    Joey

    09/07/2025, 1:58 AM
    if you're deploying multi-region, you need to use a multi-HA system like CRDB or you need to have all writes going to a single region
  • j

    Joey

    09/07/2025, 1:58 AM
    external transaction managers will not work
  • s

    smithp4ntz

    09/07/2025, 2:01 AM
    What strategy can I use for reads ? Sync / Async replication to the local sites ?
  • j

    Joey

    09/07/2025, 2:18 AM
    you can use read replica support
  • j

    Joey

    09/07/2025, 2:18 AM
    but I would recommend using CRDB
  • s

    smithp4ntz

    09/07/2025, 2:21 AM
    Is SpiceDB sticking with the feature set that is available in the latest Apache v2 licensed version?
  • j

    Joey

    09/07/2025, 2:21 AM
    ?
  • s

    smithp4ntz

    09/07/2025, 2:22 AM
    CRDB went BSL
  • s

    smithp4ntz

    09/07/2025, 2:23 AM
    Im wondering if spicedb is going to use features available in the BSL versions, its the reason I was looking at PG
  • j

    Joey

    09/07/2025, 2:26 AM
    unless CRDB moves more features to BSL, I don't see that being the case
  • j

    Jason H

    09/07/2025, 2:26 AM
    One of the challenges in authz systems is understanding what attributes are required in order to allow someone to be granted access to- especially when they are denied access. I am new to spicedb so can you please help me understand how this problem is addressed?
  • j

    Joey

    09/07/2025, 2:26 AM
    in what context?
  • y

    yetitwo

    09/07/2025, 2:29 AM
    one thing that may help is the
    --explain
    flag on
    zed
    calls - it can show you the path by which a user was (or wasn't) granted access. i don't think it will compare it to the entire schema as it's currently implemented - it will only tell you where the path starts and ends. otherwise my usual approach is to manually trace based on reading the schema and issuing readrels to check hops. this could be a nice enhancement for zed, though.
  • j

    Jason H

    09/07/2025, 2:45 AM
    Thank you. I will spend some time looking into --explain - by guess is that its useful for describing why an authz decision was made - and not so much for what would have been required in the event of failures. Its that manual tracing that is cumbersome - especially at scale...
  • y

    yetitwo

    09/07/2025, 2:45 AM
    in my experience (e.g. using SpiceDB at my old company) i'm not typically having to do much of it. do you have a particularly complex schema?
  • y

    yetitwo

    09/07/2025, 2:46 AM
    like what's the task you're envisioning?
  • j

    Jason H

    09/07/2025, 7:36 AM
    I haven’t designed a schema yet - but here’s a simple example. Let’s say we are locking down access to specific tables using groups - different group for each table - potentially different variation of the group for read vs write. When you have a large no of tables and large number of users it would be ideal for error message returned to say what group is required for access so the user can self serve. That’s a very simple example obviously.
  • y

    yetitwo

    09/07/2025, 1:18 PM
    unless everything is dynamic, i'd expect that you'd know something aboout your schema that would be exposed in your UI. if everything is dynamic, i'd probably strive to keep the schema relatively flat, and provide UI elements like AWS IAM or something like that where it tells the user what permission they're missing to do a particular thing, such that it'd be relatively easy for a user to translate missing permission -> missing role. this was something that we talked about at my last company, but things never got complex enough to warrant it.
  • j

    Jason H

    09/07/2025, 1:20 PM
    I’ll take a look in the next few days. Thanks for responding though!
  • What are permission spaces? Is that the
    v

    verdverm.com

    09/09/2025, 6:39 AM
    What are permission spaces? Is that the
    <space>/user:<id>
    on all resources? Can I use that for partitioning relations in the same database / spicedb instances?
    v
    • 2
    • 5
  • v

    verdverm.com

    09/10/2025, 1:58 AM
    just wanted to say how helpful it is that the tooling allows me to build, test, and experiment with my schema without having to touch code while I figure things out
  • j

    Joey

    09/10/2025, 2:40 AM
    that's the goal 🙂
  • Hey team, we noticed the latest `authzed
    s

    seanxiang

    09/10/2025, 4:37 AM
    Hey team, we noticed the latest
    authzed-py
    release
    1.22.0
    might have been broken. I've raised an issue [here](https://github.com/authzed/authzed-py/issues/280). We are currently pinning to an earlier version as a workaround but would appreciate a fix at some point. Thank you!
    y
    • 2
    • 4
  • How to sign up for the cloud service? I'
    m

    Mohammed

    09/11/2025, 9:40 AM
    How to sign up for the cloud service? I'm on authzed.com/cloud/signup but there's nothing on this page besides lita cho from moment telling me how great authzed is
    v
    • 2
    • 6
  • Terrible idea to put the last message in
    m

    Mohammed

    09/11/2025, 9:54 AM
    Terrible idea to put the last message in this channel up on the website
    v
    • 2
    • 4
  • m

    Mohammed

    09/11/2025, 9:55 AM
    At least use the display name and not my discord user name