liammoch
06/10/2022, 11:58 PMJoey
06/11/2022, 12:19 AMliammoch
06/11/2022, 12:51 AMdefinition user {}
definition folder {
relation reader: user
relation parent_folder: folder
permission read = reader + parent_folder->read
}
definition document {
relation reader: user
relation parent_folder: folder
permission read = reader + parent_folder->read
}
Say I have documents
doc1 --- parent ---> folder1
doc2 --- parent ---> folder2
doc3 --- parent ---> folder3
joe --- reader ---> folder1
joe --- reader ---> doc3
frank ---> reader ---> folder2
I want to fetch the set of document that joe has view permissions on, either directly or indirectly and pre-program those in our PEP. I also need to watch out for changes to that set so that I can update my pre-programmed rules. I want to handle access requests for frank as usual via the Check API.
Joey
06/11/2022, 12:51 AMJoey
06/11/2022, 12:52 AMJoey
06/11/2022, 12:53 AMliammoch
06/11/2022, 12:54 AMJoey
06/11/2022, 12:55 AMukanwat
06/13/2022, 3:46 AMukanwat
06/13/2022, 3:50 AMukanwat
06/13/2022, 4:40 AMconst stream = client.readRelationships(v1.ReadRelationshipsRequest.create({
relationshipFilter: v1.RelationshipFilter.create({
resourceType: system + 'project',
optionalSubjectFilter: v1.SubjectFilter.create({
optionalSubjectId: 'SomeId',
subjectType: system + 'user',
})
})
}))
const data = await new Promise((resolve, reject) =>
stream.on('data', function (data) {
resolve(data)
})
)
Joey
06/13/2022, 4:47 AMJoey
06/13/2022, 4:47 AMstream.on
will be invoked for each result returnedukanwat
06/13/2022, 4:53 AMJoey
06/13/2022, 5:17 AMvlatko.s
06/13/2022, 3:58 PMprio/4 (maybe)
. Is there any chance maybe that the priority
gets revisited? Or any indication about how the development of it is progressing? I do see quite a lot of feedback about use-cases requiring it and for us even the very first use-case is already in need for something like that:
- Show me all the patient admissions that I have access to/Show me the first page of patient admissions that I have access to
(Already 5M+ admissions, 10-50K more per day; many organizations & branches within; different roles can see different admissions etc. etc.)
2. Is there any way (someone from) the community can help with it? Feedback, use-cases, test, QA, code?
3. Has someone maybe successfully remodelled their domain for such use-cases (filtering a list + pagination) so that they can performantly use SpiceDB without Lookup Watch API & Tiger CacheJoey
06/13/2022, 5:20 PMvlatko.s
06/14/2022, 6:54 AMsrolevink
06/14/2022, 2:17 PM--datastore-bootstrap-overwrite=true
flag, the namespace_config
table expands with every restart of the docker image. I saw that the relation_tuple
and relation_tuple_transaction
tables are cleaned. It would be nice to do this also for the namespace_config
table, or are there reasons to not do this?Joey
06/14/2022, 2:50 PMSatz
06/14/2022, 5:26 PMJake
06/14/2022, 6:42 PMmckenzig
06/14/2022, 7:58 PMpython
resp = client.WriteRelationships(
WriteRelationshipsRequest(updates=[RelationshipUpdate(operation=RelationshipUpdate.Operation.OPERATION_CREATE,
relationship=Relationship(
resource=ObjectReference(object_type="play2/post",
object_id="3"),
relation="writer",
subject=SubjectReference(
object=ObjectReference(object_type="play2/user",
object_id="emilia"))))])
)
# do I need to specify object types, I guess not
resp = client.ReadRelationships(ReadRelationshipsRequest())
# hmm nothing here
print(resp.details())
Joey
06/14/2022, 8:40 PMfor result in resp
(something like that)mckenzig
06/14/2022, 9:01 PMpython
print(list(client.ReadRelationships(ReadRelationshipsRequest(relationship_filter=RelationshipFilter(resource_type='play2/post')))))
mckenzig
06/15/2022, 2:17 AMgrpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNKNOWN
details = "unable to write relationships: ERROR: duplicate key value violates unique constraint "pk_relation_tuple" (SQLSTATE 23505)"
debug_error_string = "{"created":"@1655259168.303000000","description":"Error received from peer ipv4:130.211.126.102:443","file":"src/core/lib/surface/call.cc","file_line":953,"grpc_message":"unable to write relationships: ERROR: duplicate key value violates unique constraint "pk_relation_tuple" (SQLSTATE 23505)","grpc_status":2}"
>
Is there an 'upsert' semantic for writing relationships? Check for existence before writing?Jake
06/15/2022, 2:18 AMmckenzig
06/15/2022, 2:23 AMRupa
06/15/2022, 3:38 AMRupa
06/15/2022, 3:39 AM