its been officially deprecated and is no longer supported in SpiceDB

Hi gurus - am using the authzed-java bindings and getting some glitches in my integration testing. Am using

testcontainers-java

to host spicedb with a in-memory data store (so I can use a different token per test run to get a clean slate), and somewhat randomly, I will get

io.grpc.StatusRuntimeException: UNAVAILABLE: Network closed for unknown reason

when trying to write relationships. Seems related to my test set up though, since the first set of tests runs just great, but then subsequent test files will generate this issue for a handful of test methods, BUT, usually the last couple will pass. So, I guess my question is: when running under

serve-testing

, is spicedb ready to handle traffic as soon as gRPC ports are available, or should I be potentially waiting for some other signal it's ready? NB: I have no evidence this is what my problem is, just a suspicion. Might be a docker networking issue.

should i directly communicate with the spicedb over my angular frontend or is that a bad idea and should I have a service between them?

Communicating with spicedb requires use of a secret token. Sending that over the web is not advisable. If an attacker had it, they could mutate your instance...

yeah thats what i thought. thanks for clarifying.

will i have to map my entities in my mysql to the stuff i defined in my spicedb schema ? or does that work automatically by naming it correctly ?

If you are asking whether you can have entities automagically show up in spicedb simply by naming them appropriately in MySQL, unfortunately not, there's no such observability (there may never be, though maybe someone will be nice and build something drop in, who knows?) in spicedb. BUT: if you do some reading about transactional outboxes, you will learn about a pattern that many of us use to ensure that 'what is in one database, ends up in the other'.

There are also some official docs about how to do things like 2 phase commit to make sure your auth store reflects entity reality.

Reply to self here for posterity: for anyone else who may one day run into this problem. I have worked around my issue with gRPC issues by using a different wait strategy with my

testcontainers

fixtures. Specifically, previously I was waiting only for the first registered port (the GRPC port in this case) to start listening before starting tests. This was inadequate: spicedb was NOT ready for reasons I don't understand (nor can I be bothered finding out). Instead, I used a log tailing wait strategy and specified a wait for the server to emit the 'http server started serving' string (I am obviously also enabling the http server under test) and this has resolved my woes: I only get GRPC communication issues now if I do something stupid/intentionally bad like nuking spicedb.

I'm new to gRPC and I'm trying to get all subjects(users) have access to a specific case(resource in my system) with LookupSubjects API, but I don't know how to read the response with the authzed python SDK, though i've noticed that it's a "server_stream"-type grpc call. I'm confused that LookupSubjects(req) returns a 'grpc._channel._MultiThreadedRendezvous' object and spiceDB instance correctly processed the request, for log shows: 4:28PM INF finished call grpc.code=OK grpc.component=server grpc.method=LookupSubjects grpc.method_type=server_stream grpc.service=authzed.api.v1.PermissionsService grpc.start_time=2023-03-27T16:28:59+08:00 grpc.time_ms=0.426 peer.address=127.0.0.1:45206 protocol=grpc requestID=6b9e42701aac5a56dd018fe55871b612 -------------------------------------- [update] it works fine to me like this:

# 流式调用
    iter = client.LookupSubjects(request=req)
    for resp in iter:
        print("xxx", resp, "|", type(resp))

executed with .\zed.exe permission check organization:org1 maintainer user:eng1 --caveat-context "{'role':'sre'}" getting below error

yeah

you need to use

"

in the JSON

its a JSON literal

i tried that as well, no luck

you need to wrap it in

"

too

im getting alot of redifinition errors when trying to generate with buf

<@444996680530657281> , no luck

thats my yaml file

ah dammit now i know why sorry guys

could u pls give me the format pls

I don't use Windows so I don't know how to specify JSON on a command line

ok my buf generate still isnt working 😦

looking at the documentation for caveats:

definition user {}

caveat has_valid_ip(user_ip ipaddress, allowed_range string) {
  user_ip.in_cidr(allowed_range)
}

definition resource {
    relation viewer: user | user with has_valid_ip
    permission view = viewer
}

does

relation viewer: user | user with has_valid_ip

mean "a user who has the relation or all users with a valid IP" or does that mean "a user who has the relation or (a user who has the relation and also has a valid IP)"?

the latter, yeah

you can think of it, from an application perspective, as a user that can have allow lists disabled or enabled

okay... sounds like this might be a way to implement user personas, then? like the caveat effectively can act as a marker of whether a particular user is actually a persona or not, and it would allow checks and lookups to be filtered on that?