Is there a SnP benchmark tests and results available against spicedb, against a typical HW configuration ?

Ooo I didn't know it had that functionality! I will expand my use case: Our services will be deployed into multiple customer environments, and we need to control both user access to those services, as well as limit communication between services across customer environments. We will have a central spicedb replica set in our own k8s cluster which each service from each customer environment will make permission check calls to - therefore, I would prefer those services to have read only access to the spicedb instance. Does that mean that multiple preshared keys + key rotation is not enough for my use case?

"typical" is hard to define, since it very much depends on the hardware, number of nodes run, datastore type and the shape of the data itself

that being said, we have run numbers on our own stack

Are these test suits available in github?, so that I can try running it against my k8s clusters. TIA.

no, but it should be fairly easy to do. I recommend using your real (or as close to real as you can) schema so that the data shape matches your real world use cases

we do have one, just thought of getting some variance against other shape of data, if its readily available, to see if it trends high or low under the benchmark.

Hello quick question, if I have a schema like:

definition user {}

definition group {
    relation member: user
}

definition resource {
    relation reader: user
    relation writer: user
    relation manager: user
    relation owner: user
    relation groupreader: group
    relation groupwriter: group

    permission own = owner
    permission manage = manager + own
    permission write = writer + manage + groupwriter->member
    permission read = reader + write + groupreader->member
}

and I have:

user:1 is member of group:1
user:1 is owner of resource:1

if I do the following lookup:

{
   resource_object_type: "resource",
   permission: "own",
   subject: {
      object: {
         object_type: "group",
         object_id: "1",
      },
      optional_relation: "member",
   }
}

shouldn't I receive as response

resource:1

? Because I tried in my system but I always get an empty list in return

Question on diagnosing and debugging spicedb (especially in production). At the moment spicedb seems like a black box. You fire a check request and get a yes/no answer. If we need to find out why spicedb arrived at a particular decision for a given check request, how can we go about it. I am looking for something that's programmatically consumable rather than have to turn on debugs and trawl through logs manually. I haven't yet explored the inbuilt tracing support. Will that help here?

yes, the tracing support that just merged provides a way to see that

however, the mainline recommendation is to make sure you have validation tests and assertions for your schema and to CI test that

the

own

permission is defined as

owner

, which only references users, which means no group can have that permission. a user in a group can have that permission, but not the group

This might help for grokking Joey's comment:

resource:1#own -> ??? -> group:1#member -> user:1

. Without adding some relation to the group, there's no path to walk between the user and the resource.

So, if I have to get all resources where at least one of the members of a group has own permission, the only way is to cycle through all members of a group and do a lookup on them?

yes, but I'm unsure why you're doing so: in your example, the group does not have permission to

own

the resource, so if you check for other members of the group, you're potentially granting access when those users are not allowed

what, exactly, is your use case?

I need to have a count of how much resources are owned by the users of a group to set a limit on the number of resources

you could write another relation and link it to the group

then just lookup for that group

is this to prevent them from going over that resource limit?

like, on a create operation?

Yes

can users be part of different groups?

Nope, a user can be member of only one group

then you might want to set the group as some sort of owner of the resource, even if it isn't use for the

own

permission itself

and then just lookup on the group

lookup is designed to return the resources that the subject has permission on: in your example schema, the group does not have

own

permission (e.g. a check would fail), so it is not returned by lookup

Ok I thought that by putting the optional_relation “member” in subject_reference would resolve the own permission on all members of a group, but I misunderstood. Thanks for the help