I believe the grpc gateway supports streaming responses by converting them to chunked json. It'd depend on the http client you're using to manage the responses from there. This grpc gateway doc has some info describing this: https://grpc-ecosystem.github.io/grpc-gateway/docs/mapping/customizing_your_gateway/#stream-error-handler

If you are using wildcards in a schema, how does that work with the GRPC api? For example, if you have an

entity

and you want to mark it as public, such that all tokens could view the entity, then the schema would be:

defintion entity {
  relation public: token:*
}

In the GRPC api, do we just use the

*

string in the id field: https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.ObjectReference ?

for the subject, yes

when writing the relationship

Cool

The reason I linked the objectreference is because the subjectreference has an objectreference: https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.SubjectReference

yep

Thanks for reporting back, @Saturas! The spicedb should have a shell (it's based on alpine) but somehow something is not quite right there. I built the image locally and was able to get a shell. Also FYI comes with https://github.com/grpc-ecosystem/grpc-health-probe, which comes handy when you don't have the HTTP gateway enabled. e.g.

grpc-health-probe -v -addr localhost:50051

So the reason there is no shell there is that the image pushed is

Dockerfile.release

which is based on a scratch image

Thanks @vroldanbet. Is there a possiblity to get an image with a shell? Same for

quay.io/authzed/zed

we want to run it in a gitlab ci and validate the schema, but cant run the script block.

I'd suggest opening an issue for this! I personally don't see a problem in releasing something like

authzed/spicedb:v1.11.0-alpine

but not sure how the team feels about it

@Saturas we actually use distroless. We're discussing supporting something like variants of the image that use distroless-debug as the base image to help in these cases: https://github.com/GoogleContainerTools/distroless#debug-images In the mean time, you can make your own image by using a multi-step dockerfile that simply copies the spicedb binary from our image into something like an alpine or debian image that has a shell.

There's now an issue tracking this: https://github.com/authzed/spicedb/issues/749

@Saturas and merged, so it should be available in the next SpiceDB release

Thanks guys. We love your uncomplicated way ❤️

hello. is it possible add/remove relation/permission on an existing definition without "re-uploading" a schema?

there is not a way to change a portion of the definition without writing the whole updated definition

thanks. that make sense.

Thanks. I also opened an issue for the zed-cli, so you could use it in a gitlab ci without building your own image or reinstalling it every time. It would be much faster. https://github.com/authzed/zed/issues/141

Hey, I'm looking at SpiceDB and inherited permissions and I can't figure out how to, or if it's even possible, to "inherit backwards", for example - if

org:a is parent of org:b

, and

user:2 is (direct) member of org:b

, can I somehow make the assertion that

user:2 is member of org:a

work? - if

user:1 is admin of org:a

, and

user:2 is member of org:a

, can I somehow make the assertion that

user:1 is editor of user:2

? I get the reverse of this working fairly easily, like if

org:a is parent of org:b

and

user:1 is admin of org:a

then

user:1 is admin of org:b

Here's what I've been trying so far: https://play.authzed.com/s/0HQuSR3fu4dY/schema

Hello, Been following SpiceDB for maybe six (6) months. Finally, I would love to try it. Currently, looking for example projects integrating SpiceDB via an SDK. Believe that SpiceDB released a NodeJS SDK. If the example is against NodeJS, great. Otherwise, I will take anything. I would like to to take a look at some web service (for example expressjs ), with integrated SpiceDB, checking permissions. Is there anything like that available to public? Please share relevant resources.

you'll likely need to write "inverse" relationships for this to function. for your first example:

definition org {
  relation child: org
  relation member: user

  permission is_member = member + child->is_member
}

would have

is_member

return for the member of the org or any of its child orgs

https://github.com/authzed/authzed-node/blob/main/src/full.test.ts has some node examples

Hmm right, so I'd have to maintain "duplicate" tuples, one org:b#parent@org:a and org:a#child@org:b? It feels like there's a risk of that getting out of sync, but I suppose I just have to isolate the addParent and removeParent into functions in my code

yep, if you want to do things bidirectionally. Just be VERY careful when defining your permissions that you don't form loops

this is now merged too

I am trying to load up a decent amount of data at initialization so that we can do some automated performance testing with production volume data comparing CockroachDB and Postgres solutions. I cut the data way back down to only 1 tenant, and I can get it up and running in an in-memory solution with the

spicedb serve --datastore-bootstrap-files

commands, but when I try and point it to a backing Cockroach database, it errors out with

error="failed to create datastore: failed to load bootstrap files: error when loading validation tuples from file ./redrockschema.yaml: unable to write relationships: ERROR: message size 107 MiB bigger than maximum allowed message size 16 MiB (SQLSTATE 08P01)"

. Is there a better way to load up an initial dataset at start time in a timely manner? (Our basic test dataset is going to be closer to 16GB, than it is to 100MB)

bryan from github added batching support to zed to work around this problem: https://github.com/authzed/zed/pull/120

we probably need to add batching to the bootstrap as well

are you using a persistent or an ephemeral cockroach?