this was more of me just poking at the api

hopefully the upgraded one helps

and yeah, for the hot path, the plan is LookupWatch

or rather, a cache on top of it

Hello, I need to create a permission with a complex set of unions and intersections. Something like:

definition sample/registration {
  relation learner: sample/student;
  relation target: sample/formation;

  permission subscribe = (target->subscribe & learner->subscribe) + learner->self
}

Is it possible to use parenthesis to priorize the operations ? Otherwise, how can we do this kind of things in rebac ? Thanks (sorry for the noob question !)

Yes, you can use parens

Or other permissions if you want to name the sub expressions

Youhou, great news for me ! thanks @Joey

Hello, I'm trying to figure out if there is a way to implement this scenario in SpiceDB - a user can only

view

a folder if they can

view

ALL files in that folder (files and folders are used just as an example, the actual entities are a bit different). Any help would be much appreciated.

Hi guys, I'm using HTTP API for SpiceDB (axios). The goal is to fetch all relationships for given definition, the issue is, I'm not getting data in a correct JSON format. As you can see in the image, there is no objects array, just parsed separate object strings. Do anybody of you guys, know a way to send the response as a valid JSON objects array (over HTTP)? Btw sorry if that's a newbie issue.

the read relationships API is streaming, so it will return a set of results, with each new object being one result

how are you defining the relationship between the folder, file and user?

I'm open to any definition that would solve the problem but if I define it like this

definition user {}

definition folder {}

definition file {
    relation parent: folder
    relation viewer: user

    permission view = viewer
}

I don't see a way to define a permission for the folder that would depend of its files and if I define it like this

definition user {}

definition folder {
    relation contents: file

    permission view = contents->view
}

definition file {
    relation viewer: user

    permission view = viewer
}

the

view

permission for a folder will be granted when any file is viewable (while I want that all of them are)

you likely want https://github.com/authzed/spicedb/issues/597

I should also caution that if you grant folder access based on all files, it will become slower over time as more and more files are added

many thanks, it seems to be what I need indeed, is it any close to being implemented? it's not literally "files" and "folders" in my case, and the number of "files" isn't going to grow much

its mostly around settling on what the operator will look like. suggestions are welcome

can a poll be created here/somewhere to choose the operator and unblock the implementation? 😀

be pretty easy to add one based on emoji responses

unfortunately, there isn't a great deal of consensus yet on it

would be happy to test a PR/fork even if the syntax is still subject to change (for me personally, the options with & seem to make more sense than ~, as tilde is rather associated with "approximately" or "not")

if you don't mind responding to the issue, I'd be happy to ping you once the PR is in draft

Hello spicy people! I'm having an issue with 1.8.0 on Postgres: it seems that it made all transactions

SERIALIZABLE

(https://github.com/authzed/spicedb/pull/581/files#diff-cc7f4962fde0ca83da82d95e2d7e23f00084437867c3cbe61eb70b4509576496R288). It's very problematic for me: I direct all the

checkPermission

without a zedToken to a read replica (AWS Aurora), and read replicas do not support the

SERIALIZABLE

level (see last point in https://www.postgresql.org/docs/current/hot-standby.html#HOT-STANDBY-CAVEATS). This means that I can't use a read replica at all with 1.8.0, which means I lose a lot of reliability and horizontal scalability 😬 I suppose the goal was to avoid unrepeatable reads? Could we use the

REPEATABLE READ

isolation level?

This is what I get in practice (

zi

is an alias for

zed

)

@williamdclt how are you directing non-zedtoken checks?

Client-side. I have a small-ish SDK, if the consistency requirement is

minimizeLatency

, it queries a spicedb service that's using a read-replica, otherwise it sends it to another spicedb service that's using the master DB

interesting... I imagine we could change the isolation when talking to a read replica, but SpiceDB currently has no concept of that. Would you be interested in potentially formalizing the read replica support in SpiceDB, such that it picks the read replica if consistency allows for it?

> I imagine we could change the isolation when talking to a read replica, but SpiceDB currently has no concept of that I haven't deeply thought about it, but: - Do we actually need

SERIALIZABLE

level? SpiceDB wasn't using it until 1.8.0 - We could set

SERIALIZABLE

for write requests (eg

writeRelationships

), and

REPEATABLE_READ

for read requests?

REPEATABLE_READ

should always be enough for readonly requests, if I'm not mistaken > Would you be interested in potentially formalizing the read replica support in SpiceDB, such that it picks the read replica if consistency allows for it? I would be interested, but I'm worried about not being able to allocate time to that 😅 What do you have in mind, some sort of design document describing read replica support in SpiceDB-with-Postgres?

yep

the idea that'd formally configure SpiceDB with read replicas and it would intelligently choose which one to use