Jake
08/24/2022, 1:41 PMJake
08/24/2022, 1:41 PMJeroen (Speedzor)
08/24/2022, 1:44 PMJake
08/24/2022, 1:50 PMJake
08/24/2022, 1:51 PMvroldanbet
08/24/2022, 1:55 PMJeroen (Speedzor)
08/24/2022, 1:57 PMLanny
08/24/2022, 2:29 PMJoey
08/24/2022, 2:42 PMLanny
08/24/2022, 3:14 PMi want write permission on a resource
, i would need to translate write
into zed relationship create blog/post:1 writer blog/user:danny
. I'm not sure how to find the relationship writer
from write
Joey
08/24/2022, 3:17 PMJoey
08/24/2022, 3:17 PMLanny
08/24/2022, 3:23 PMJoey
08/24/2022, 3:23 PMjzelinskie
08/24/2022, 4:36 PMLanny
08/24/2022, 8:52 PMview
access to document/13234
-> [lanny,danny, etc]jzelinskie
08/24/2022, 8:56 PMLanny
08/24/2022, 8:58 PMLanny
08/25/2022, 1:57 PMJake
08/25/2022, 2:20 PMLanny
08/25/2022, 2:35 PMtartignolle
08/25/2022, 2:56 PMLookupSubject API
and its usage with Proposal: Lookup Watch API and Tiger Cache for fast ACL-aware filtering
(https://github.com/authzed/spicedb/issues/207).
I would have expected the LookupSubject to accept a SubjectReference instead of (ObjectReference and permission)
Or at least to set the permission attribute to optionaltartignolle
08/25/2022, 2:58 PMresource:F1#reader@user:U1
In this case, from what I understand, the Lookup Watch API would call the LookupSubject API with the subject part user:U1
But the permission attribut is required in LookupSubjectsRequest, hence I cannot call the LookupSubject API, i.e.
LookupSubjectsRequest {
ObjectReference: {
ObjectType: user,
ObjectId: U1,
},
permission: ???
}
Am I missing something ?
thanks!Joey
08/25/2022, 3:26 PMJoey
08/25/2022, 3:27 PMuser
is a terminal: we know there can't be any other subjects "beneath" itJoey
08/25/2022, 3:27 PMJoey
08/25/2022, 3:28 PMresource:F1#reader@group:somegroup#member
Joey
08/25/2022, 3:28 PMLookupSubjects
would be LookupSubjectsRequest {
ObjectReference: {
ObjectType: group,
ObjectId: somegroup,
},
permission: member
}
Joey
08/25/2022, 3:28 PMtartignolle
08/25/2022, 3:36 PMdefinition user {}
definition resource_group {
relation reader: user
permission read = reader
}
definition resource {
relation reader: user
relation writer: user
relation parent: resource_group | resource
permission read = reader + writer + parent->read
permission write = reader
}
I create the following relations
relationship("resource:F1#reader@user:U1"),
relationship("resource:F2#reader@user:U2"),
relationship("resource:F1#parent@resource_group:G1"),
relationship("resource_group:G1#reader@user:U1")
I delete this relation:
relationship("resource:F1#parent@resource_group:G1")
I receive the following result from the Watch API:
watchResponse {
updates [{
operation = 3
relationship = {
objectType = "resource"
objectId = "F1"
}
relation = "parent"
subject = {
object = {
objectType = "resource_group"
objectId = "G1"
}
optionalRelation = ""
}
I'd then expect to call the LookupSubject API with something like this:
LookupSubjectsRequest {
ObjectReference: {
ObjectType: resource_group,
ObjectId: G1,
},
permission: ???
}
Pb is the permission value
Thanks !