spicedb
- j
Jake
05/06/2022, 5:43 PMThen you don’t need a separate lookup table, they can just be decoded - j
Joey
05/06/2022, 5:46 PMrecommendation is url safe base64 - n
nshttpd
05/06/2022, 5:48 PMwe had tossed that out there and decided not to and now I can't remember why now though. Let me go change the code try that. Thanks - d
dantheman
05/06/2022, 7:44 PMHas there been any consideration of generating typed libraries from your schema that include the subjects/resources, permissions, and relation strings to avoid needing to keep them in sync manually in code? - w
williamdclt
05/06/2022, 8:04 PMwhatever the Expected Relationships tab does, couldn't it be done by ExpandPermissionTree itself? I'm pretty much reimplementing it poorly I feel! - j
Joey
05/06/2022, 8:04 PMExpandPermissionTree is explicitly not designed for that - j
Joey
05/06/2022, 8:04 PMthat's what LookupSubjects is going to do - j
Joey
05/06/2022, 8:05 PMExpandPermissionsTree, as its name implies, is designed to return a tree view, matching the structure of the schema - j
Joey
05/06/2022, 8:05 PMLookupSubjects will run the calculations to "simplify" the tree down into a set of subjects - w
williamdclt
05/06/2022, 8:12 PMFair enough - j
Joey
05/06/2022, 8:14 PMdoes sounds like LookupSubjects is needed by a bunch of people though - j
Joey
05/06/2022, 8:14 PMso we'd appreciate feedback on that issue - w
williamdclt
05/06/2022, 8:32 PMI'll take a look soon! - y
yetitwo
05/06/2022, 9:13 PMcan spicedb's postgres backend be configured with environment vars instead of CLI flags? - y
yetitwo
05/06/2022, 9:15 PMah found it: https://docs.authzed.com/spicedb/installing#flags - e
ecordell
05/06/2022, 9:16 PMyep! beat me to it - e
ecordell
05/06/2022, 9:16 PMwe have discussed that idea a bit, but I'm not sure if there's a github issue for it yet - e
ecordell
05/06/2022, 9:17 PMif you have a specific need or use-case in mind it would be helpful if you could write it up in an issue - c
crafterix
05/09/2022, 9:53 AMYes, I have a lot of intersections and unions, but I don't really use exclusions. I have rules that look like this:
or// Roles permission guest = assignees & company->guest; permission member = assignees & company->member; permission admin = admins + company->admin; permission at_least_member = member + admin; permission at_least_guest = guest + at_least_member; permission access = at_least_guest;permission access = (task->access & project->at_least_member) + (creator & project->member); - c
crafterix
05/09/2022, 10:05 AMDo you have a github issue for this? - j
Joey
05/09/2022, 7:30 PM@crafterix no, but its under active development. The first PR towards changing Lookup can be found here: https://github.com/authzed/spicedb/pull/517 - s
shubhamsinha
05/10/2022, 10:58 PMJust wanted to check if I am doing this right . So I have a schema for a resource:
The use case is that anyone in the company can delete an alert , get alert details and get alert history. However, only the user that created the alert can update it. Does this mean that when an alert is created I need to create two sets of permissions: One with the company and another one with the user? Is there a better way to write the schema?definition alert { relation company: company relation user: user permission update_alert = user permission delete_alert = company permission get_alert = company permission get_metric_alert_history = company } - j
Jake
05/10/2022, 11:18 PMdefinition user {} definition company { relation user: user } definition alert { relation creator: user relation company: company permission update_alert = creator permission delete_alert = company->user permission get_alert = company->user permission get_metric_alert_history = company->user } - j
Jake
05/10/2022, 11:19 PM> Does this mean that when an alert is created I need to create two sets of permissions: One with the company and another one with the user? Yes this is likely how you will want to model it - j
Jake
05/10/2022, 11:21 PMif you absolutely wanted to do only one relationships per alert, and you wanted to front-load by creating more relationships between users and companies, you could do:/** More denormalized, assumes the all users belong to only one company, and you can infer an alert's company by its creator user */ definition user { relation company: company permission company_users = company->user } definition company { relation user: user } definition alert { relation creator: user permission update_alert = creator permission delete_alert = creator->company_users permission get_alert = creator->company_users permission get_metric_alert_history = creator->company_users } - j
Jake
05/10/2022, 11:22 PM@shubhamsinha ^ - s
shubhamsinha
05/10/2022, 11:33 PMGot it thanks @Jake . Are there any drawbacks of going with the first approach of creating the two sets of permissions? Just making sure I am not going against a best practice - j
Jake
05/10/2022, 11:33 PMNope, totally fine and you can create them atomically with a single write call - s
shubhamsinha
05/10/2022, 11:35 PMRight makes sense. Thanks for your help! - l
LemmeCode
05/11/2022, 1:40 AMHi there guys. I'm trying to study and understand better how large-scale applications handle authorization and authentication. I started with things like Keycloak which was giving me pretty much everything authentication&authorization out of the box. I found out about SpiceDB and Zanzibar and really liked it and I'm feeling like now I need to understand a little better how they handle things but one thing still doesn't enter my head. I'm reading A LOT but I can't figure out this: if SpiceDB can help me with authorization, what about the authentication portion? How do those companies handle that? For example, I found out about OIDC but it's a layer on top of OAuth 2.0 which is for authorization so where does SpiceDB enter here? Keycloak gives me not only authentication but also user storage and stuff, do you guys know other alternatives for that? Like authentication & storage only so I can use it along with SpiceDB? Authentication and authorization give me goosebumps, sooo complex haha. Thank you guys.