844600078504951838 #spicedb

Channels

spicedb

test-forum

zanzibar

Joey

09/23/2022, 11:45 PM

is Python running in a container too?

gwb

09/23/2022, 11:45 PM

yes

gwb

09/23/2022, 11:45 PM

separate container. the one that i called curl from

gwb

09/23/2022, 11:54 PM

yes, separate container. the one that i called curl from

Joey

09/23/2022, 11:55 PM

oh, right

Joey

09/23/2022, 11:55 PM

you can't use insecure on a non-localhost DNS name

Joey

09/23/2022, 11:55 PM

for security reasons

Joey

09/23/2022, 11:56 PM

there might be a way in gRPC to work around that, but they don't like doing so

gwb

09/24/2022, 1:42 AM

I guess I need to figure out how to turn on tls. Thanks for your help!

gwb

09/24/2022, 1:53 AM

Any pointers to the TLS configuration/docs? I’m having trouble finding them.

Joey

09/24/2022, 1:55 AM

--grpc-tls-cert-path string                                local path to the TLS certificate used to serve gRPC
      --grpc-tls-key-path string                                 local path to the TLS key used to serve gRPC

gwb

09/24/2022, 1:56 AM

Ah, can those be self signed?

Joey

09/24/2022, 2:01 AM

yes, but you'd have to config your grpc client to use your self signed CA too

gwb

09/24/2022, 2:03 AM

Got it. Thanks again!

nvnsdrdy

09/25/2022, 5:10 AM

hello, if company has teams , where does the permission to create team members sit, in company or team

Joey

09/25/2022, 5:31 AM

To create a team? Usually on the company. To add a member to the team? Can be either

nvnsdrdy

09/25/2022, 5:31 AM

thanks Joey

nvnsdrdy

09/25/2022, 5:53 AM

NOT urgent. if any could point glaring mistakes. will write test_relationships but any help will be appreciated..

definition user {
}
definition team {
    relation parent: team
    relation team_company:company
    relation team_member: company#company_member
    relation team_admin: company#company_member
    permission add_team_members = team_admin
    permission read_members = team_member + team_admin
    permission add_team_to_document_group = team_admin
    permission remove_team_from_document_group = team_admin
    permission add_user_to_document = team_admin
    permission remove_user_to_document = team_admin
}
definition company {
    relation owner: user
    relation company_member: user
    relation teams_maintainer: user 
    // team actions
    permission create_teams = owner
    permission create_team_admin = owner
    permission change_team_name = teams_maintainer 
}
definition document_group {
    relation disclosed_team: team
    relation disclosed_user: user
    permission read_document_group = disclosed_user + disclosed_team
}
definition document {
    relation discgrp: document_group
    relation disc_item_team: team
    relation disc_item_user: user
    relation reader: document_group#disclosed_user | document_group#disclosed_team | disc_item_user
    relation writer: team#team_admin

    permission add_item = writer
    permission view = reader 
    
}

Aywan

09/25/2022, 8:12 AM

Hello everyone, I have a question around the API consistency, especially for the default behavior of

minimize_latency

> WARNING: If used exclusively, this can lead to a window of time where the New Enemy Problem can occur. What is the order of a

window of time

? Is it define somewhere ? Like is it few seconds, or few minutes, or can it be even hours etc ?

Joey

09/25/2022, 4:03 PM

it depends on the window configured; the default is ~5s

Joey

09/25/2022, 4:04 PM

the only thing I see that may be an issue is this:

relation disclosed_team: team
    relation disclosed_user: user
    permission read_document_group = disclosed_user + disclosed_team

the

disclosed_team

is a team, not its members, so that will return if a user or a team can read the group, but not the members of the team. If you want the members of the team, you need to either use an arrow ala

disclosed_team->team_member

reference the members in the relation itself

timjr

09/26/2022, 10:37 AM

I've got a question about using the intersect operator. I've got a schema with 3 definitions - users, resources & groups. I want to control user access to a resource by 1) the user's relation to the resource , 2) the user belongs to all the groups the resource belongs to . Using intersect operator only validates that the user belongs to at least one of the resource's groups

vroldanbet

09/26/2022, 10:41 AM

@timjr I believe what you are looking for is https://github.com/authzed/spicedb/issues/597

timjr

09/26/2022, 10:47 AM

Yes that looks like it - the ticket discussion is supporting the change, how do I find out when / if this might be released? (I've just joined so not got much context)

vroldanbet

09/26/2022, 10:48 AM

I think the best way is to chime in in the issue itself, but AFAIK I don't think this is planned just yet.

timjr

09/26/2022, 10:51 AM

Ok thanks

niodice

09/26/2022, 8:29 PM

Suppose we have to respond to a user action with > 1 permissions updates -- say write a relationship and delete a relationship. Is there a way to batch those into a single transaction? Or in other words, how can we be sure that only ALL or NONE of the relationships are successful?

Joey

09/26/2022, 8:31 PM

WriteRelationships

call takes multiple updates (create, touch or delete) that are guaranteed to succeed or fail as a single transaction

niodice

09/26/2022, 10:24 PM

Oh, I think I missed that. Thanks for the pointer

arifgore

09/27/2022, 11:26 AM

Hi! My name is Arif. I need to create a Helm chart for an open source project and send it to upstream for my internship. SpiceDB seems like a good option to me. I want to know if you will accept it to the project if I choose SpiceDB. And I also can prepare Grafana dashboard for SpiceDB, if it has (or will have) metrics.