844600078504951838 #spicedb

Channels

zanzibar

test-forum

spicedb

Joey

06/17/2022, 6:58 PM

then you can check for either a user or a persona

yetitwo

06/17/2022, 7:02 PM

i'd say it's a synthetic user of sorts. i was hoping to avoid needing to mess with downstream relations by defining it reflexively on a user, but i hadn't considered that defining a relation in terms of a user or a persona really isn't that bad.

yetitwo

06/17/2022, 7:02 PM

that makes sense, though. thank you for taking a look!

Joey

06/17/2022, 7:16 PM

another option is to combine them like so:

Joey

06/17/2022, 7:17 PM

definition user {
  relation this: user
  relation persona: persona
  permission user_or_persona = this + persona
}

definition persona {}

definition thing {
  relation reader: user#user_or_persona | persona
}

Joey

06/17/2022, 7:17 PM

then you can just link to the user's

user_or_persona

Joey

06/17/2022, 7:17 PM

and then issue a check for the user OR a persona

Joey

06/17/2022, 7:17 PM

and if the user has a persona, it'll work

Joey

06/17/2022, 7:17 PM

you'll need to link the user to itself via

this

, but that only needs to be done once

yetitwo

06/17/2022, 8:36 PM

i think the former approach will cover our use case - it's also nice in the sense that it shows ownership of personas by users, which will probably be a part of administrating those personas.

pebbleacro

06/18/2022, 7:39 AM

Is there any plan to support schema prefix in open source version to let the schema separated into multiple micro services?

mckenzig

06/18/2022, 8:35 AM

Hi, I'm running into some getting started issues following the docker guide here https://docs.authzed.com/spicedb/installing#docker (apologies for the screenshot, I don't have discord access on my work machine, screen grabs is the best I can do) I am able to get a socket connection to the server, but get a "failed to connect to all addresses" error from the client. Any pointers?

Joey

06/18/2022, 3:49 PM

you can use schema prefixes in SpiceDB, but they are only an organization tool right now

Joey

06/18/2022, 3:50 PM

how are you running Docker on your machine? you might need to use a different DNS name for the container

mckenzig

06/18/2022, 10:18 PM

Hi Joey Windows 7 docker 19.03.1 with docker machine 0.16.1 A little more experimentation shows that using zed from the Windows machine command line and specifying --insecure works fine. python is unable to connect even though I am using insecure_bearer_token_credentials.

Joey

06/18/2022, 10:18 PM

are you running zed in a container?

Joey

06/18/2022, 10:19 PM

or Python in a container?

prasanna

06/20/2022, 7:33 AM

Hi everyone I am trying to set an optional relation to my user but unable to do it

prasanna

06/20/2022, 7:34 AM

Could anyone point me to any document we have on optional relation setting cause I couldn’t find one in the Authzed website

vroldanbet

06/20/2022, 8:11 AM

Hi everyone

HOPE

06/20/2022, 8:32 AM

Hi I'm struggling to add unit tests for my application which uses spicedb. Say I have a

mutation func()

in go. after executing the mutation it will write a

(resource, subject, permission)

tuple to authzed. I'd like to test after i executed func(), does

subject

have

permission

resource

. I am aware of the serve-testing. But I'm wondering how I can put it into my go unittest code. I'm trying this example https://github.com/authzed/spicedb/blob/main/cmd/spicedb/servetesting_integration_test.go But it requires building a docker image. And when I removed first two lines

//go:build docker
// +build docker

and run

go test

, it pops up error saying

go/pkg/mod/github.com/authzed/spicedb@v1.8.0/pkg/proto/core/v1/util.go:17:47: undefined: v0.RelationTupleTreeNode

vroldanbet

06/20/2022, 9:38 AM

spicedbservetesting_integration_test.go...

DefinitelyNotSam

06/20/2022, 11:27 AM

Is there any docs on how to deploy in cluster mode? I can't seem to find anything on it

calle-ibx

06/20/2022, 2:29 PM

Hi! (Apologies if this has been covered in the channel, I'm not getting much help from search) We're looking to use AuthZed to authorize our internal applications against Google Workspace groups. My understanding is that this means we'll sync our group memberships to SpiceDB relationships. This sounds like a very frequent need - is there some component someone has built already that does this? Doing the happy path doesn't seem very tricky, but I'm expecting a lot of interesting edge cases that would be nice not to have to discover ourselves 🙂

vroldanbet

06/20/2022, 2:34 PM

Is there any docs on how to deploy in

Rocio

06/20/2022, 3:41 PM

Hi 👋 Wondering about a specific pattern. Say we wanted to warn users before someone lost access to an object that they depend on: 1. A user gives access to an object to user:1 and team:1 (the relationships

user:1#access@object:1

, and

team:1#access@object:1

are created) 2. User:1 is added to Team:1 (user:1#member@team:1) 3. User:1's access is removed from the object - but they still have access because they are part of the team. (the relationship

user:1#access@object:1

is removed) Is there a way to make a change "temporairly", and then test what would be the consequences? In this case, for example, remove the

user:1#access@object:1

relationship and then return what are all the users that have access to

object:1

? To make sure that

user:1

still has access to the object. If not, how would you do something like this? Keep track of the relationships on the service side?

Joey

06/20/2022, 3:43 PM

you could define a permission that only includes "local" access, and then check it and the overall permission: if the "local" permission is false, but the global one is true, then you know the user only has access through the global relation(s)

Joey

06/20/2022, 3:44 PM

as an example:

definition user {}

definition organization {
  relation member: user
  permission view = member
}

definition resource {
  relation viewer: user
  relation org: organization

  permission view_local = viewer
  permission view = view_local + org->view
}

Rocio

06/20/2022, 3:46 PM

Thank you! I think this would work 🙂

Rocio

06/20/2022, 3:53 PM

I think there could still be a problem if the user is a member of two teams, and the team is the one that's removed access. We wouldn't have a way to know if removing team:1's access to the object, would actually cause that user to lose permissions or not