844600078504951838 #spicedb

Channels

liammoch

06/10/2022, 11:58 PM

We have a use case, where for some users we need to pre-provision all the access rules between that user and all permitted resources. I have been looking at the WatchAPI and the LookupAPI to see if I can achieve that. Given that the user and the resource may not be directly connected in the graph, we need to watch out for intermediate relationship changes. Any guidelines on how I can achieve this using the current API set? Will the Leopard index API help solve this in a less tedious fashion?

Joey

06/11/2022, 12:19 AM

not sure I follow: what, exactly, are you trying to do?

liammoch

06/11/2022, 12:51 AM

definition user {}

definition folder {
    relation reader: user
    relation parent_folder: folder
    permission read = reader + parent_folder->read
}

definition document {
    relation reader: user
    relation parent_folder: folder
    permission read = reader + parent_folder->read
}

Say I have documents

doc1 --- parent ---> folder1
doc2 --- parent ---> folder2
doc3 --- parent ---> folder3

joe --- reader ---> folder1
joe --- reader ---> doc3

frank ---> reader ---> folder2


I want to fetch the set of document that joe has view permissions on, either directly or indirectly and pre-program those in our PEP. I also need to watch out for changes to that set so that I can update my pre-programmed rules. I want to handle access requests for frank as usual via the Check API.

Joey

06/11/2022, 12:51 AM

Lookup today, LookupWatch tomorrow

Joey

06/11/2022, 12:52 AM

so you can use Lookup and re-run it whenever anything changes

Joey

06/11/2022, 12:53 AM

but to do so in an even somewhat efficient manner, you'll need reachability and a few other things we're working on adding for LookupWatch

liammoch

06/11/2022, 12:54 AM

Can you please send me a link to the proposal for LookupWatch

Joey

06/11/2022, 12:55 AM

https://github.com/authzed/spicedb/issues/207

ukanwat

06/13/2022, 3:46 AM

Hi, Is there a way to fetch all of the relationships an object has with a particular type of resources?

ukanwat

06/13/2022, 3:50 AM

ReadRelationships only gives just one relationship.

ukanwat

06/13/2022, 4:40 AM

I'm using NodeJS and this is my code:

const stream = client.readRelationships(v1.ReadRelationshipsRequest.create({

        relationshipFilter: v1.RelationshipFilter.create({
            resourceType: system + 'project',
            optionalSubjectFilter: v1.SubjectFilter.create({
                optionalSubjectId: 'SomeId',
                subjectType: system + 'user',

            })
        })
    }))
    const data = await new Promise((resolve, reject) =>
        stream.on('data', function (data) {
            resolve(data)
        })
    )

Joey

06/13/2022, 4:47 AM

a Promise will only resolve once

Joey

06/13/2022, 4:47 AM

stream.on

will be invoked for each result returned

ukanwat

06/13/2022, 4:53 AM

Yes I understand but how do I fetch them all at once, otherwise what's the point?

Joey

06/13/2022, 5:17 AM

Wait for the stream to finish and then resolve the promise with the full array

vlatko

06/13/2022, 3:58 PM

Hey everyone. I'm working on a healthcare system and I'm modelling the permissions of it and I definitely want what SpiceDB offers! 👏 👏 However, as quite a few people by now, I have a question with regards to Lookup Watch API & Tiger Cache. https://github.com/authzed/spicedb/issues/207 1. This feature has been labeled as

prio/4 (maybe)

. Is there any chance maybe that the

priority

gets revisited? Or any indication about how the development of it is progressing? I do see quite a lot of feedback about use-cases requiring it and for us even the very first use-case is already in need for something like that: - Show me all the patient admissions that I have access to/Show me the first page of patient admissions that I have access to (Already 5M+ admissions, 10-50K more per day; many organizations & branches within; different roles can see different admissions etc. etc.) 2. Is there any way (someone from) the community can help with it? Feedback, use-cases, test, QA, code? 3. Has someone maybe successfully remodelled their domain for such use-cases (filtering a list + pagination) so that they can performantly use SpiceDB without Lookup Watch API & Tiger Cache

Joey

06/13/2022, 5:20 PM

Hi @vlatko: the issue is marked with that priority primarily because it is still in the "needs discussion" state; once we have community buy-in on the feature, then it'll be reprioritized. I suspect at this point it is a matter of "when", not "if" we'll build it In terms of community involvement, we welcome involvement at any and all levels! The ideal is getting a design partner for the feature: someone who needs the feature, can work with us actively on the design, testing and feedback. We can schedule a call if you feel this might be something you're interesting in doing. > Has someone maybe successfully remodelled their domain for such use-cases (filtering a list + pagination) so that they can performantly use SpiceDB without Lookup Watch API & Tiger Cache Today this really depends on what information you have available and what your numbers look like: if you can filter in the database down to a reasonable working set, then you can issue Checks in parallel for the sorted results to filter out any that might be not visible to the current user. If, on the other hand, you know the set of results for an individual user will be smaller, but the database is very large, then you can issue a LookupResources API call to get the full set of objects the user can view, and then pass that to your database. The only scenario in which the current solutions don't work well today is if you have a very large number of resources that a user can view and a database that is itself very large: for that, the proposal is the anticipated long-term solution

vlatko

06/14/2022, 6:54 AM

Hi vlatko0836 the issue is marked with

srolevink

06/14/2022, 2:17 PM

Hello! I have question about the GC functionality. When we start the docker image with bootstrap file and use the

--datastore-bootstrap-overwrite=true

flag, the

namespace_config

table expands with every restart of the docker image. I saw that the

relation_tuple

and

relation_tuple_transaction

tables are cleaned. It would be nice to do this also for the

namespace_config

table, or are there reasons to not do this?

Joey

06/14/2022, 2:50 PM

what datastore are you using?

Satz

06/14/2022, 5:26 PM

Anyone able to connect from spicedb to cockroachdb using kerberos? I am getting "AuthTypeGSS is unimplemented" error. Looks like this issue "https://github.com/cockroachdb/cockroach/issues/51799". Any advise on how to proceed further?

Jake

06/14/2022, 6:42 PM

Nobody that I know of has done this yet, we use pgx to talk to CRDB, and according to the issue that may make it harder? what have you tried so far?

mckenzig

06/14/2022, 7:58 PM

HI day 1 newbie - I'm trying to work out how to read relationships written in the example here https://github.com/authzed/authzed-py/tree/main/examples/v1 - I am able to write, but can't wok out how to read - any pointers? I'm not sure how to access the relationships in the response.....

python
resp = client.WriteRelationships(
    WriteRelationshipsRequest(updates=[RelationshipUpdate(operation=RelationshipUpdate.Operation.OPERATION_CREATE,
                                                          relationship=Relationship(
                                                              resource=ObjectReference(object_type="play2/post",
                                                                                       object_id="3"),
                                                              relation="writer",
                                                              subject=SubjectReference(
                                                                  object=ObjectReference(object_type="play2/user",
                                                                                         object_id="emilia"))))])
)

# do I need to specify object types, I guess not
resp = client.ReadRelationships(ReadRelationshipsRequest())

# hmm nothing here
print(resp.details())

Joey

06/14/2022, 8:40 PM

ReadRelationships is a stream, so you should be able to do

for result in resp

(something like that)

mckenzig

06/14/2022, 9:01 PM

Thanks for posterity this works:

python
print(list(client.ReadRelationships(ReadRelationshipsRequest(relationship_filter=RelationshipFilter(resource_type='play2/post')))))

mckenzig

06/15/2022, 2:17 AM

Hi I am sure this is a newbie FAQ but I cannot seem to find info on it. During schema development presumably it is common to iteratively make and apply schema tweaks and reload data. Reasonably the managed permissions service on authzed.com complains if I try to create an existing relationship:

grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
    status = StatusCode.UNKNOWN
    details = "unable to write relationships: ERROR: duplicate key value violates unique constraint "pk_relation_tuple" (SQLSTATE 23505)"
    debug_error_string = "{"created":"@1655259168.303000000","description":"Error received from peer ipv4:130.211.126.102:443","file":"src/core/lib/surface/call.cc","file_line":953,"grpc_message":"unable to write relationships: ERROR: duplicate key value violates unique constraint "pk_relation_tuple" (SQLSTATE 23505)","grpc_status":2}"
>

Is there an 'upsert' semantic for writing relationships? Check for existence before writing?

Jake

06/15/2022, 2:18 AM

TOUCH is an upsert

mckenzig

06/15/2022, 2:23 AM

@Jake Nice!

Rupa

06/15/2022, 3:38 AM

So are there any performance or scale limitations that we see in serve-testing ?

Rupa

06/15/2022, 3:39 AM

Since we are hosting spicedb and cockroach ourselves, wanted to check if a production system can be run in the serve-testing mode