There was a formatting error (used

:

instead of

=

in a relations) , but not line nr on the error, which is fun on a long file

ahhh yeah that's not ideal. we're dropping that context somewhere. i'll add an issue to the repo.

clarification: is this with the

schema:

key or with the

schemaFile:

key?

I'll add the example tomorrow when I am back at work

thank you!

Hello All , I am tring to WATCH spicedb using java authz api version 1.3 , using streaming .. when I connect to local spicedb works which is over http but when I connect to devbox exposed over ssl its not getting data , I check server cert and imported to application but still its failing , i can see TLS1.3 is used and hanshake is success

Hello Guys. I have a slight problem in production where my pods are restarting due to a` invalid memory address or nil pointer dereference` 🧵

Hey folks. A rather broad question: Is there any effort ongoing to help openID authZEN or to support the implementers draft? Context: I've just checked out and found it very fitting, esp. with the bulk calls they add in draft 1.1

nvm, just found https://discord.com/channels/844600078504951838/900405749405089812/1359904145422815323 - let's put it that way: I understand the "little traction" argument, but i'd love an open standard and customers should, too 😉

Hi, I am on a very old version of spicedb (1.13) + mysql8. I'm trying to figure out what i need to do to upgade, but it seems like the only way is checking all the github releases? Basically I want to know if I can just upgrade to the latest and migrate, or are there any major "stepping stones" I need to upgrade to first?

are you using any of the experimental APIs or the old V0 API?

github.com/authzed/authzed-go/proto/authzed/api/v0

is the v0 api? we aren't using it

and no experimental apis

then it should be safe, minus some flags that we've removed. I'd recommend backing up your datastore entirely, then trying the migration on a copy

if that works without issues, then upgrade the real install

Hey, on service startup we import the schema into spicedb, this has been working great for a long time, but all of a sudden today we get error like `failed to write schema: rpc error: code = InvalidArgument desc = cannot delete object definition

group

, as a relationship exists under it`. The code is basically doing the same as

zed import

(https://github.com/authzed/zed/blob/main/internal/cmd/import.go#L109C6-L109C18).We sporadically saw this error in the logs, but today it just happens on every start of the service. The error is always

cannot delete object definition

with with a seemingly random type. We're a bit behind with updates (1.33.1). Any idea why the system believe we want to update an object definiton? The schema has all the definitons as before, so far we only ever added things

On the latest version of spicedb I'm seeing (with mysql): "unable to query relationships: scan err: sql: Scan error on column index 3, name \"caveat_context\": unsupported type: []uint8"

Spicedb 1.45.1, MySQL 8.0.40

Good morning. Can anyone tell what I am doing wrong? I can't seem to write this relationship using the Java API. I am getting this error. Nevermind. I was looking at the wrong block of code. This works as expected 👍 "INVALID_ARGUMENT: subjects of type

organization_usergroup

are not allowed on relation `environment#accessor`; did you mean

organization_usergroup#member

?""

yaml
defintion solution {
  relation launcher: user | organization_usergroup#member
}

java
WriteRelationshipsRequest request = WriteRelationshipsRequest.newBuilder()
                .addUpdates(RelationshipUpdate.newBuilder()
                        .setOperation(RelationshipUpdate.Operation.OPERATION_TOUCH)
                        .setRelationship(Relationship.newBuilder()
                                .setResource(ObjectReference.newBuilder()
                                        .setObjectType("solution")
                                        .setObjectId(solutionId)
                                .setRelation("launcher")
                                .setSubject(SubjectReference.newBuilder()
                                        .setObject(ObjectReference.newBuilder()
                                                .setObjectType("organization_usergroup")
                                                .setObjectId(targetUserGroupId))
                                        .setOptionalRelation("member"))))
                .build();

Hi, I want to integrate spicedb with Istio service mesh for Authorization. I believe web assembly could help me . Does anyone have any suggestions or GitHub link for the same.

To avoid exceeding our database’s connection limit (RDS Postgres with 1.6K max connections), we apply this pattern at the moment -> replicas (number of SpiceDB pods) × (readMaxOpen + writeMaxOpen) ≤ db.max_connections – headroom. When having a RDS proxy in front of the database, do you have any suggestions on how to configure properly the readMaxOpen and writeMaxOpen connections on SpiceDB level? Should the logic remain the same? Thanks in advance.

Hey, i understand the general recommendation is to save zookies or zedtokens on the row level. Given a schema like this:

definition user {}

definition team {
    relation member: user
}

definition folder {
    
    relation admin: user | team#member
    permission create_file = admin
}

definition file {
    relation parent: folder
    relation editor: user | team#member
    permission edit = parent->create_file + editor
}

can i save the zedtokens on the file level? Will it handle changes to the folder#admin relation / team#member relation?

the idea is that when you change the contents of a file or its relationships (e.g. moving it from one folder to another), you get a zedtoken and then save it on your DB representation of the file

we typically phrase the new enemy problem as whether someone is able to see updates to a file that have happened since they lost access

so you check on the file when the user attempts to access the file's contents

and otherwise you don't worry about changes to other parts of the tree

like if a user loses access to a file but that file still comes back in a LookupResources request, that's not necessarily a problem because they don't have any new information about the file

Is lookupresources computed in realtime or does it use a cache? My problem is, i have a user that has to load multiple list endpoints on page load. All of these list endpoints call lookupresources with the same parameters and it seems that they slow eachother down. The call returns ~1000 ids. What would be the best way to handle this?