This is a backlog item for Authzed.com and Authzed Enterprise right now. If you would like to talk about your particular use case and requirements, we would love to hear them. Feel free to set up a call through our contact page: https://authzed.com/contact/

I see that, Is there anyway to leverage namespace/ prefix-object and achieve the same?

Another question, do you have any example of achieving ABAC using spiceDB?

I think you're correct that we are naively setting that value. The size for the cache should include the referenced memory for metadata as well.

Consider this use case. Let's say we want to use spicedb to authorize access to network ports on a host. One way would be add each network port exposed on a host as a resource along the lines of ":" into spicedb and program relations to allow only certain users access to the network ports. However, say there are some 'super users' that should be allowed access to any of the network ports on the host. Is there a way to express this without enumerating each potential network port (in thousands) on each host as a resource in spicedb? We could possibly express a relation between the super user and the host, but that would require two check requests, one against host:port and one against host. Another idea would be express the port as a permission and have host as the resource. This would require us to modify the schema to express each network port as a permission and schema would need to be updated as we enable more ports. But to support the super user use case we would need to add every single network port as a permission in the schema. Would it be useful to support a 'default' permission in a relation, which is used when the permission in the check request does not match anything defined in the schema? The default permission could check to see if the user has an 'any' relation to the host. Any other ideas?

@liammoch something like:

definition host {
  relation superuser: user
  permission can_access = superuser
}

definition port {
  relation host: host
  relation accessor: user
  permission can_access = accessor + host->can_access
}

if you're not adding each port as an object in SpiceDB, how are you checking them?

api question: i saw that the java client lib is a pretty thin wrapper over buf-generated java code, and we're using clojure in our project. we could go the route of writing interop or we could go the route of protojure (pulling from the buf proto definitions), and one of the things that came up in our discussion was the question of whether the official libs will continue to be thin wrappers over proto definitions, or whether there's intention in the future to add additional logic, such as around caching or zedtoken handling. is there a sense of which way it's more likely to go? (understanding that there's no guarantees in this world)

there is an intention down the road to add additional logic to the client libraries if needed

but as of right now, there aren't any firm plans

thanks! i think that'll help inform the discussion.

Yes, you are right, adding a port as an object is the natural way to do it. I didn't think of modeling it like above, where the port delegates the permission check to the host. Thanks!

I think the above model does not solve my problem though. Let's take a specific example. I want to achieve U1 allow access to Host1 Port30 U2 allow access to Host2 Port40 U3 allow access to any port on Host 1 or Host 2 With your model U1 will have a can_access relation to Port30, thus allowing it to access Port30 on any host. The intention is to allow a user access to a specific port on a specific host (and not just a specific port on any host) The other thing I am hoping to do is avoid adding relations between 65k TCP port objects and Host 1, Host 2, HostN to address U3.

> With your model U1 will have a can_access relation to Port30, thus allowing it to access Port30 on any host

only if the port is defined as

30

I was intending it to be an object per port, per host

so port

host1_30

or somesuch

> The other thing I am hoping to do is avoid adding relations between 65k TCP port objects and Host 1, Host 2, HostN to address U3. right, that's the downside

if you have ports and hosts completely distinct, you'll likely need two checks

one on the port, and one on the host

Yes, I suspected two checks are required. In my original message I had this other idea shown below.

Another idea would be express the port as a permission and have host as the resource. This would require us to modify the schema to express each network port as a permission and schema would need to be updated as we enable more ports. But to support the super user use case we would need to add every single network port as a permission in the schema. Would it be useful to support a 'default' permission in a relation, which is used when the permission in the check request does not match anything defined in the schema? The default permission could check to see if the user has an 'any' relation to the host.

In the above idea we model access to a specific port as a permission. Would it be a concern if we were to add all possible network ports as unique permissions on the host object? The second part of the proposal tries to avoid adding all ports as permissions and proposes the idea of a default permission to handle the super user case. Let me know your thoughts. Completely okay to laugh it off 🙂

Hi guys! May you help me to figure out with lookup method? I have the following structure:

project_1 {
 team_11 {}
 team_12 {
   user_1
 }
}

project_2 {
 team_21 {}
 team_22 {
   user_1
 }
}

LookupResources allows to get a list of all available teams, regardless of the project but I have to get a list of teams available to the user_1, but only in project_1. What is the best way to do this?

Hi, I have an issue with the connection to Postgres. Could you help me? More info here https://stackoverflow.com/questions/72285637/authzed-spicedb-failed-to-create-postgres-datastore-failed-to-connect

That's not a supported use case for

Lookup

as written. You could make a graph node that was the combination of a team and project, and then you could look up teams that relate to that node, but that's probably not what you're looking for. I think your best bet is to either go forward: find the teams that belong to a project, and

Check

each one if the user is a member, or go backward, find every team that a user is a member of (transitively?) and then

Check

whether each one belongs to the project

I posted a response on Stack Overflow, but the short answer is you can't use

localhost

if they're in two different containers, you need to use user-defined bridge networking

is there a name for the syntax that schemas use? like if the file is going to be schema., what is ?

.zed

probably?

yep

is there a syntax definition file for that somewhere if i wanted to get that hooked into vim?

what format does vim use?