https://authzed.com logo
Join the conversationJoin Discord
Channels
spicedb
test-forum
zanzibar
Powered by Linen
spicedb
  • j

    Joey

    03/26/2023, 4:22 PM
    its been officially deprecated and is no longer supported in SpiceDB
  • s

    soap_work

    03/27/2023, 4:12 AM
    Hi gurus - am using the authzed-java bindings and getting some glitches in my integration testing. Am using
    testcontainers-java
    to host spicedb with a in-memory data store (so I can use a different token per test run to get a clean slate), and somewhat randomly, I will get
    io.grpc.StatusRuntimeException: UNAVAILABLE: Network closed for unknown reason
    when trying to write relationships. Seems related to my test set up though, since the first set of tests runs just great, but then subsequent test files will generate this issue for a handful of test methods, BUT, usually the last couple will pass. So, I guess my question is: when running under
    serve-testing
    , is spicedb ready to handle traffic as soon as gRPC ports are available, or should I be potentially waiting for some other signal it's ready? NB: I have no evidence this is what my problem is, just a suspicion. Might be a docker networking issue.
  • t

    TheRealKlaus

    03/27/2023, 5:49 AM
    should i directly communicate with the spicedb over my angular frontend or is that a bad idea and should I have a service between them?
  • s

    soap_work

    03/27/2023, 6:17 AM
    Communicating with spicedb requires use of a secret token. Sending that over the web is not advisable. If an attacker had it, they could mutate your instance...
  • t

    TheRealKlaus

    03/27/2023, 6:21 AM
    yeah thats what i thought. thanks for clarifying.
  • t

    TheRealKlaus

    03/27/2023, 6:22 AM
    will i have to map my entities in my mysql to the stuff i defined in my spicedb schema ? or does that work automatically by naming it correctly ?
  • s

    soap_work

    03/27/2023, 6:26 AM
    If you are asking whether you can have entities automagically show up in spicedb simply by naming them appropriately in MySQL, unfortunately not, there's no such observability (there may never be, though maybe someone will be nice and build something drop in, who knows?) in spicedb. BUT: if you do some reading about transactional outboxes, you will learn about a pattern that many of us use to ensure that 'what is in one database, ends up in the other'.
  • s

    soap_work

    03/27/2023, 6:27 AM
    There are also some official docs about how to do things like 2 phase commit to make sure your auth store reflects entity reality.
  • s

    soap_work

    03/27/2023, 6:38 AM
    Reply to self here for posterity: for anyone else who may one day run into this problem. I have worked around my issue with gRPC issues by using a different wait strategy with my
    testcontainers
    fixtures. Specifically, previously I was waiting only for the first registered port (the GRPC port in this case) to start listening before starting tests. This was inadequate: spicedb was NOT ready for reasons I don't understand (nor can I be bothered finding out). Instead, I used a log tailing wait strategy and specified a wait for the server to emit the 'http server started serving' string (I am obviously also enabling the http server under test) and this has resolved my woes: I only get GRPC communication issues now if I do something stupid/intentionally bad like nuking spicedb.
    p
    • 2
    • 1
  • y

    youling66

    03/27/2023, 8:40 AM
    I'm new to gRPC and I'm trying to get all subjects(users) have access to a specific case(resource in my system) with LookupSubjects API, but I don't know how to read the response with the authzed python SDK, though i've noticed that it's a "server_stream"-type grpc call. I'm confused that LookupSubjects(req) returns a 'grpc._channel._MultiThreadedRendezvous' object and spiceDB instance correctly processed the request, for log shows: 4:28PM INF finished call grpc.code=OK grpc.component=server grpc.method=LookupSubjects grpc.method_type=server_stream grpc.service=authzed.api.v1.PermissionsService grpc.start_time=2023-03-27T16:28:59+08:00 grpc.time_ms=0.426 peer.address=127.0.0.1:45206 protocol=grpc requestID=6b9e42701aac5a56dd018fe55871b612 -------------------------------------- [update] it works fine to me like this:
    # 流式调用
        iter = client.LookupSubjects(request=req)
        for resp in iter:
            print("xxx", resp, "|", type(resp))
  • executed with .\zed.exe permission check organization:org1 maintainer user:eng1 --caveat-context "{'role':'sre'}" getting below error
    a

    ab.sh.1010

    03/29/2023, 4:12 PM
    executed with .\zed.exe permission check organization:org1 maintainer user:eng1 --caveat-context "{'role':'sre'}" getting below error

    https://cdn.discordapp.com/attachments/844600078948630559/1090669779951566909/image.png▾

  • yeah
    j

    Joey

    03/29/2023, 4:18 PM
    yeah
  • you need to use `"` in the JSON
    j

    Joey

    03/29/2023, 4:18 PM
    you need to use
    "
    in the JSON
  • its a JSON literal
    j

    Joey

    03/29/2023, 4:18 PM
    its a JSON literal
  • i tried that as well, no luck
    a

    ab.sh.1010

    03/29/2023, 4:23 PM
    i tried that as well, no luck

    https://cdn.discordapp.com/attachments/844600078948630559/1090672562901631076/image.png▾

    https://cdn.discordapp.com/attachments/844600078948630559/1090672563199410346/image.png▾

  • you need to wrap it in `"` too
    j

    Joey

    03/29/2023, 4:23 PM
    you need to wrap it in
    "
    too
  • `--caveat-context="{\"foo\": \"bar\"}"`
    j

    Joey

    03/29/2023, 4:24 PM
    --caveat-context="{\"foo\": \"bar\"}"
  • im getting alot of redifinition errors when trying to generate with buf
    t

    TheRealKlaus

    03/29/2023, 4:33 PM
    im getting alot of redifinition errors when trying to generate with buf

    https://cdn.discordapp.com/attachments/844600078948630559/1090675025364930601/image.png▾

  • <@444996680530657281> , no luck
    a

    ab.sh.1010

    03/29/2023, 4:34 PM
    <@444996680530657281> , no luck

    https://cdn.discordapp.com/attachments/844600078948630559/1090675237034672230/image.png▾

  • thats my yaml file
    t

    TheRealKlaus

    03/29/2023, 4:34 PM
    thats my yaml file

    https://cdn.discordapp.com/attachments/844600078948630559/1090675348271808582/image.png▾

  • ah dammit now i know why sorry guys
    t

    TheRealKlaus

    03/29/2023, 4:35 PM
    ah dammit now i know why sorry guys
  • could u pls give me the format pls
    a

    ab.sh.1010

    03/29/2023, 4:38 PM
    could u pls give me the format pls
  • I don't use Windows so I don't know how to specify JSON on a command line
    j

    Joey

    03/29/2023, 4:40 PM
    I don't use Windows so I don't know how to specify JSON on a command line
  • a

    ab.sh.1010

    03/29/2023, 4:49 PM

    https://cdn.discordapp.com/attachments/844600078948630559/1090679034045808790/image.png▾

  • ok my buf generate still isnt working 😦
    t

    TheRealKlaus

    03/29/2023, 5:00 PM
    ok my buf generate still isnt working 😦
  • looking at the documentation for caveats: ``` definition user {} caveat has_valid_ip(user_ip ipaddress, allowed_range string) { user_ip.in_cidr(allowed_range) } definition resource { relation viewer: user | user with has_valid_ip permission view = viewer }``` does `relation viewer: user | user with has_valid_ip` mean "a user who has the relation or all users with a valid IP" or does that mean "a user who has the relation or (a user who has the relation and also has a valid IP)"?
    y

    yetitwo

    03/29/2023, 6:46 PM
    looking at the documentation for caveats:
    definition user {}
    
    caveat has_valid_ip(user_ip ipaddress, allowed_range string) {
      user_ip.in_cidr(allowed_range)
    }
    
    definition resource {
        relation viewer: user | user with has_valid_ip
        permission view = viewer
    }
    does
    relation viewer: user | user with has_valid_ip
    mean "a user who has the relation or all users with a valid IP" or does that mean "a user who has the relation or (a user who has the relation and also has a valid IP)"?
  • the latter, yeah
    v

    vroldanbet

    03/29/2023, 6:47 PM
    the latter, yeah
  • you can think of it, from an application perspective, as a user that can have allow lists disabled or enabled
    v

    vroldanbet

    03/29/2023, 6:48 PM
    you can think of it, from an application perspective, as a user that can have allow lists disabled or enabled
  • okay... sounds like this might be a way to implement user personas, then? like the caveat effectively can act as a marker of whether a particular user is actually a persona or not, and it would allow checks and lookups to be filtered on that?
    y

    yetitwo

    03/29/2023, 6:49 PM
    okay... sounds like this might be a way to implement user personas, then? like the caveat effectively can act as a marker of whether a particular user is actually a persona or not, and it would allow checks and lookups to be filtered on that?
  • hi there, does anyone have any tips for modeling singleton resources? in my specific case, while we have a bunch of permissions related to specific resources in our domain (irrespective of UI), I'm finding that we want to model some permissions that are purely about whether a user can view a certain page in a UI. I'm guessing we need to actually model our UI app as a resource, but I'm not sure the best way to do that. for instance, we can have a `definition our_app` but when actually writing relationships I'm not sure what to use as the resource ID (`our_app:singleton`? `our_app:any`?). I'd love any thoughts you have on this, thanks!
    a

    arielcamperi

    03/29/2023, 6:53 PM
    hi there, does anyone have any tips for modeling singleton resources? in my specific case, while we have a bunch of permissions related to specific resources in our domain (irrespective of UI), I'm finding that we want to model some permissions that are purely about whether a user can view a certain page in a UI. I'm guessing we need to actually model our UI app as a resource, but I'm not sure the best way to do that. for instance, we can have a
    definition our_app
    but when actually writing relationships I'm not sure what to use as the resource ID (
    our_app:singleton
    ?
    our_app:any
    ?). I'd love any thoughts you have on this, thanks!
Powered by Linen
hi there, does anyone have any tips for modeling singleton resources? in my specific case, while we have a bunch of permissions related to specific resources in our domain (irrespective of UI), I'm finding that we want to model some permissions that are purely about whether a user can view a certain page in a UI. I'm guessing we need to actually model our UI app as a resource, but I'm not sure the best way to do that. for instance, we can have a `definition our_app` but when actually writing relationships I'm not sure what to use as the resource ID (`our_app:singleton`? `our_app:any`?). I'd love any thoughts you have on this, thanks!
a

arielcamperi

03/29/2023, 6:53 PM
hi there, does anyone have any tips for modeling singleton resources? in my specific case, while we have a bunch of permissions related to specific resources in our domain (irrespective of UI), I'm finding that we want to model some permissions that are purely about whether a user can view a certain page in a UI. I'm guessing we need to actually model our UI app as a resource, but I'm not sure the best way to do that. for instance, we can have a
definition our_app
but when actually writing relationships I'm not sure what to use as the resource ID (
our_app:singleton
?
our_app:any
?). I'd love any thoughts you have on this, thanks!
View count: 1