spicedb
- i
Igor.Shmukler
09/12/2022, 2:37 PMbe my pleasure - r
radmongoose
09/12/2022, 4:16 PMHey all. I'm trying out the spicedb-operator, but am running into an issue. I'm trying to set it up to access spanner which requires setting up workload identity. However the operator seems to create it's own
service account and there doesn't seem to be a way to override that.spicedb - e
ecordell
09/12/2022, 4:21 PMif you create the service account ahead of time with the workload identity annotations, spicedb-operator won't overwrite them - e
ecordell
09/12/2022, 4:23 PMthat's the simplest workaround for now, we have https://github.com/authzed/spicedb-operator/issues/61 with some other options and tracking improvements in this area. if you have an opinion on the future direction, we'd love to hear it in a comment! - a
Alsbury
09/12/2022, 9:57 PMI've spent the last couple of days trying to get a PHP library working so that I could use PHP and SpiceDB over gRPC. Using the Ruby project as my starting point, I was able to get classes to generate. However I've had a lot of issues. Some seem to be with the tooling for generating classes and the bug that put me at a complete standstill may be related to the protobuf PHP extension. The SpiceDB PHP library I created can be found here (it doesn't work): https://github.com/alsbury/chiphpotle The issue that I'm having is documented briefly here: https://github.com/alsbury/chiphpotle/issues/1 If anyone has any ideas on how I can get to the bottom of this, I'm interested in feedback. Getting a working PHP library for SpiceDB would open up SpiceDB to a large community.j- 2
- 13
- j
Joey
09/12/2022, 10:14 PM@jzelinskie ^ - j
jzelinskie
09/12/2022, 10:15 PMspicedb php client - a
Arash
09/12/2022, 10:21 PMHi folks. Is there a way to run the authzed playground locally? For some reason, my browser is unable to download the entire
file. It always fails at around 3 MB.main.wasmjj- 3
- 16
- n
niodice
09/12/2022, 11:41 PMLooking for guidance on how I might model some relationships. Suppose I have a
object and I am grantingfoo
permissions on aview
based on the visibility of thefoo
(where visibility is an application logic, and could befoo
,only_me
, orfriends
. I have a sample schema that workseveryone
But it is a little bit clunky. Suppose for example that adefinition foo { relation token: token relation friends: foo // representing the visibility settings of `foo`. Only 1 of these relations should be logically set at any given time. relation viz_me: foo relation viz_friends: foo relation viz_everyone: token:* // intermediary results permission friends_tokens = friends->token permission view = (viz_everyone + viz_me->token + viz_friends->friends_tokens) }
is configured in the application asfoo
visibility -- meaning that only tokens with theonly_me
relation can view it. If that changes totoken
, then I need to: - Check iffriends
orviz_me
is set, and un-set it - Setviz_everyone
relation This pattern is common in our application and so I'm looking for a way to effectively work with this pattern. Ideally, I'd like to set just one relation and update it with something that represents the set of tokens. I think that this would be possible if I could write a statement like this:viz_friends
And set thedefinition foo { relation token: token relation friends: foo relation viz_tokens: token permission view = viz_tokens }
, when writing the relationship, to something likeviz_tokens
, ortoken:*
, or$THIS->token
. That way I get an atomic update, and don't need to worry about managing the fact that$THIS->friends->tokenOnly 1 of these relations should be logically set at any given time. - j
Joey
09/12/2022, 11:48 PMwell, you can perform multiple updates atomically, so that shouldn't be the primary concern, but I do see why you want it to be simpler - j
Joey
09/12/2022, 11:49 PMif this is a common enough pattern across objects, it might possible to do things in a somewhat shared manner; let me give it some thought - j
Joey
09/12/2022, 11:49 PM@niodice are the subjects of "friends" tokens as well? - j
Joey
09/13/2022, 12:06 AM@niodice take a look at this: https://play.authzed.com/s/91S2iSz_mZ7z/schema. This schema allows you to specify a single type of
, create one per resource and choose which level based on the permission referencedvisibility - n
niodice
09/13/2022, 12:39 AMohh, @Joey this is interesting. i think this is more along the lines of what I was looking to do - n
niodice
09/13/2022, 12:39 AMLemme digest it a bit and circle back with any questions - n
niodice
09/13/2022, 1:03 AM> well, you can perform multiple updates atomically, so that shouldn't be the primary concern, but I do see why you want it to be simpler What happens in one update if a subset of the relations don't exist and I try to delete them? Also I'm looking closer at your schema. It does simplify things, but it requires a bidirectional relationship. For example, I need to both set
anddocument::visibility
relationships. Is there a way to avoid such a cyclic dependency?visibility::parent - j
Joey
09/13/2022, 1:04 AMits only cyclic if it were to walk back to itself - j
Joey
09/13/2022, 1:04 AMit is bidirectional though - j
Joey
09/13/2022, 1:04 AMand if you do want to share a type, its necessary - j
Joey
09/13/2022, 1:04 AMunless you define the
, etc on the visibility itselfowner - j
Joey
09/13/2022, 1:04 AMin which case, then you don't need to have theparent - i
Igor.Shmukler
09/13/2022, 2:13 AMhello Could use help with documentation. Looking at https://github.com/authzed/authzed-node and trying to make sense of it. Where do i set the context?
should take care of the shared secret. This is great. Where do i point my client to the server running SpiceDB? Either the examples do not have it, or I cannot find it. I got other questions as well. The documentation for NodeJS package is limited. Got my draft schema close enough that checks withv1.NewClient('somerandomkeyhere')
are all working fine. Regular examples are pretty good. Now, I want to map thezed
command to the NodeJS library and suddenly it turns out to be a little complicated.zed permission check event:27 edit user:2 - j
Joey
09/13/2022, 2:14 AM - i
Igor.Shmukler
09/13/2022, 2:15 AMthank you, @Joey - i
Igor.Shmukler
09/13/2022, 3:04 AMi am still unable to get NodeJS client do what I need. zed is working. I call it as:
and it returnszed permission check event:27 read user:2
. that is perfect for me. following the example @Joey recommended, I was able to initialize the client. I don't get error, yet it is not working liketrue
. my code:zed
The respond I am getting is not aconst eventRef = v1.ObjectReference.create({ objectType: 'event', objectId: `${id}` }); const userRef = v1.ObjectReference.create({ objectType: 'user', objectId: `${userId}` }); const checkPermissionRequest = v1.CheckPermissionRequest.create({ resource: eventRef, permission: 'read', subject: v1.SubjectReference.create({ object: userRef }) }); spiceDBclient.checkPermission(checkPermissionRequest, (err, response) => { console.log('response:', response); console.error(err); });
ortrue
. It reads like:false
What am I doing wrong? What is the correct what of getting what I need?{ permissionship: 2, checkedAt: { token: 'GgQKAjMx' } } - j
Joey
09/13/2022, 3:06 AMexpect(checkResponse?.permissionship).toBe( CheckPermissionResponse_Permissionship.HAS_PERMISSION ); - j
Joey
09/13/2022, 3:07 AMyou need to compare the
of the response to.permissionshipCheckPermissionResponse_Permissionship.HAS_PERMISSION - u
user
09/13/2022, 12:29 PMHi, I am looking for .Net client to use authzed? Do we have support for .net apps? - v
vroldanbet
09/13/2022, 12:32 PMThere are 2 community-mantained clients for C# and F#: https://github.com/authzed/awesome-spicedb - u
user
09/13/2022, 12:43 PMthank you :)