https://authzed.com logo
Powered by
#spicedb
  • k

    KV

    10/27/2022, 12:17 PM
    hi, there's a copy typo on https://authzed.com/spicedb -- "The data used to calculate permissions have the most critical correctness requirements in the entirety a software system."
  • k

    KV

    10/27/2022, 12:18 PM
    which is ironic in a sentence about "critical correctness requirements" ;)
  • j

    Joey

    10/27/2022, 2:19 PM
    thanks! we'll get that fixed
  • p

    Prchowdh

    10/27/2022, 5:54 PM
    * Provided two types - provide all the relation possible between them.
    Copy code
    type project{
    relation admin:  user 
}
    [project,user]-> [admin] * provided one type & relation - provide all the type can be related provided type with the mentioned relation ship.
    Copy code
    type project{
    relation admin:  user 
}
    [project,admin ] -> [user] * provided source , target types and relation - provide all the relation/permission of target type can be associated here
    Copy code
    type project{
    relation admin:  group#all_member  
}
    [source : project, target : group , relation : admin ] ---> [all_member] At this point - no such API exist - correct ?
  • j

    Joey

    10/27/2022, 6:44 PM
    there are currently no reflection APIs
  • j

    Joey

    10/27/2022, 6:44 PM
    there are two proposal issues tracking them
  • p

    Prchowdh

    10/27/2022, 6:50 PM
    is this one of them https://github.com/authzed/spicedb/issues/613 ? could you share other ?
  • j

    Joey

    10/27/2022, 6:51 PM
  • c

    ColeOmni

    10/27/2022, 7:13 PM
    Hi all, I'm working on a sample policy and I wanted to refer to a relation's relation 
    permission view = creator->manager->user
    it gives me an error message: Nested arrows not yet supported If this isn't supported, it requires us to denormalize the model, we will need to add redundant relationships for child resources. Doesn't this defeat the purpose of a relational system?
  • j

    Joey

    10/27/2022, 7:14 PM
    you don't need to add additional relationships
  • j

    Joey

    10/27/2022, 7:14 PM
    permission manager_user = manager->user
  • j

    Joey

    10/27/2022, 7:14 PM
    and then reference that in the parent permission
  • j

    Joey

    10/27/2022, 7:14 PM
    its not as nice (which is why we do intend to support nested arrows)
  • j

    Joey

    10/27/2022, 7:14 PM
    but its is semantically equivalent
  • j

    Joey

    10/27/2022, 7:15 PM
    also, if you're referencing 
    ->user
    under a role, you probably want that role to point to the user directly
  • j

    Joey

    10/27/2022, 7:15 PM
    but to know for sure, I'd have to see your schema
  • c

    ColeOmni

    10/27/2022, 7:32 PM
    My schema so far is below. I am trying to determine the view permission based on the relationships of the expense resource, but the nesting error seems to want me to only refer to direct relationships in the rules.
    Copy code
    definition user {
}

definition employee {
    relation user: user
    relation manager: employee
}

definition expense {
    relation creator: employee 
    // creator of expense can view
    permission view = creator->user

    // manager of creator of expense can view
    // multiple hierarchal lookup 'creator->manager->user' doesn't work because `Nested arrows not yet supported`
    // permission view = creator->manager->user
}

// facts
// employee:abc#user@user:1
// expense:1#creator@employee:abc
// employee:xyz#user@user:2
// employee:abc#manager@employee:xyz

// assertions
// - "expense:1#view@user:1"
// - "expense:1#view@user:2"`
    I tried your work-around 
    permission manager_user = manager->user
    but it also doesn't like that, it says relation/permission 
    manager
    not found under definition 
    expense
  • j

    Joey

    10/27/2022, 7:39 PM
    it needs to be under 
    employee
  • j

    Joey

    10/27/2022, 7:39 PM
    you could also make 
    manager: employee#user
  • c

    ColeOmni

    10/27/2022, 7:45 PM
    Awesome, that fixed it! Thanks for the help!
  • c

    chanced.

    10/27/2022, 8:19 PM
    Hey, when would 
    CheckPermissionResponse.Permissionship
    be 
    PERMISSIONSHIP_CONDITIONAL_PERMISSION
    ? https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.CheckPermissionResponse.Permissionship
  • c

    chanced.

    10/27/2022, 8:20 PM
    I guess I should reframe that: does condition permission always imply the permission is granted?
  • j

    Joey

    10/27/2022, 8:21 PM
    right now - never
  • c

    chanced.

    10/27/2022, 8:21 PM
    okay, cool. Thanks.
  • j

    Joey

    10/27/2022, 8:21 PM
    once caveats feature is ready, whenever you have a caveated permission and did not provide sufficient context
  • j

    Joey

    10/27/2022, 8:22 PM
    conditional implies it could be, if the expression evaluates to true
  • c

    chanced.

    10/27/2022, 8:22 PM
    So it'd still be a failure?
  • j

    Joey

    10/27/2022, 8:22 PM
    and since we couldn't evaluate it, we don't know
  • c

    chanced.

    10/27/2022, 8:22 PM
    gotcha.
  • j

    Joey

    10/27/2022, 8:22 PM
    the intention is to say: "we need more info"
1...248249250...436Latest