https://authzed.com logo
Powered by
spicedb
  • s

    silencer.xyz

    10/27/2022, 9:46 AM
    We are building an open-source low-code tool for developers to build internal tools. We can support you SpiceDB at our product but can we do some social media Co-branding or join our AMA? plz let me know.
  • u

    user

    10/27/2022, 12:17 PM
    hi, there's a copy typo on https://authzed.com/spicedb -- "The data used to calculate permissions have the most critical correctness requirements in the entirety a software system."
  • u

    user

    10/27/2022, 12:18 PM
    which is ironic in a sentence about "critical correctness requirements" ;)
  • j

    Joey

    10/27/2022, 2:19 PM
    thanks! we'll get that fixed
  • p

    Prchowdh

    10/27/2022, 5:54 PM
    * Provided two types - provide all the relation possible between them. 
    type project{
    relation admin:  user 
}
    [project,user]-> [admin] * provided one type & relation - provide all the type can be related provided type with the mentioned relation ship. 
    type project{
    relation admin:  user 
}
    [project,admin ] -> [user] * provided source , target types and relation - provide all the relation/permission of target type can be associated here 
    type project{
    relation admin:  group#all_member  
}
    [source : project, target : group , relation : admin ] ---> [all_member] At this point - no such API exist - correct ?
  • j

    Joey

    10/27/2022, 6:44 PM
    there are currently no reflection APIs
  • j

    Joey

    10/27/2022, 6:44 PM
    there are two proposal issues tracking them
  • p

    Prchowdh

    10/27/2022, 6:50 PM
    is this one of them https://github.com/authzed/spicedb/issues/613 ? could you share other ?
  • j

    Joey

    10/27/2022, 6:51 PM
    see the Related comment: https://github.com/authzed/spicedb/issues/439
  • c

    ColeOmni

    10/27/2022, 7:13 PM
    Hi all, I'm working on a sample policy and I wanted to refer to a relation's relation 
    permission view = creator->manager->user
    it gives me an error message: Nested arrows not yet supported If this isn't supported, it requires us to denormalize the model, we will need to add redundant relationships for child resources. Doesn't this defeat the purpose of a relational system?
  • j

    Joey

    10/27/2022, 7:14 PM
    you don't need to add additional relationships
  • j

    Joey

    10/27/2022, 7:14 PM
    permission manager_user = manager->user
  • j

    Joey

    10/27/2022, 7:14 PM
    and then reference that in the parent permission
  • j

    Joey

    10/27/2022, 7:14 PM
    its not as nice (which is why we do intend to support nested arrows)
  • j

    Joey

    10/27/2022, 7:14 PM
    but its is semantically equivalent
  • j

    Joey

    10/27/2022, 7:15 PM
    also, if you're referencing 
    ->user
    under a role, you probably want that role to point to the user directly
  • j

    Joey

    10/27/2022, 7:15 PM
    but to know for sure, I'd have to see your schema
  • c

    ColeOmni

    10/27/2022, 7:32 PM
    My schema so far is below. I am trying to determine the view permission based on the relationships of the expense resource, but the nesting error seems to want me to only refer to direct relationships in the rules. 
    definition user {
}

definition employee {
    relation user: user
    relation manager: employee
}

definition expense {
    relation creator: employee 
    // creator of expense can view
    permission view = creator->user

    // manager of creator of expense can view
    // multiple hierarchal lookup 'creator->manager->user' doesn't work because `Nested arrows not yet supported`
    // permission view = creator->manager->user
}

// facts
// employee:abc#user@user:1
// expense:1#creator@employee:abc
// employee:xyz#user@user:2
// employee:abc#manager@employee:xyz

// assertions
// - "expense:1#view@user:1"
// - "expense:1#view@user:2"`
    I tried your work-around 
    permission manager_user = manager->user
    but it also doesn't like that, it says relation/permission 
    manager
    not found under definition 
    expense
  • j

    Joey

    10/27/2022, 7:39 PM
    it needs to be under 
    employee
  • j

    Joey

    10/27/2022, 7:39 PM
    you could also make 
    manager: employee#user
  • c

    ColeOmni

    10/27/2022, 7:45 PM
    Awesome, that fixed it! Thanks for the help!
  • c

    chance

    10/27/2022, 8:19 PM
    Hey, when would 
    CheckPermissionResponse.Permissionship
    be 
    PERMISSIONSHIP_CONDITIONAL_PERMISSION
    ? https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.CheckPermissionResponse.Permissionship
  • c

    chance

    10/27/2022, 8:20 PM
    I guess I should reframe that: does condition permission always imply the permission is granted?
  • j

    Joey

    10/27/2022, 8:21 PM
    right now - never
  • c

    chance

    10/27/2022, 8:21 PM
    okay, cool. Thanks.
  • j

    Joey

    10/27/2022, 8:21 PM
    once caveats feature is ready, whenever you have a caveated permission and did not provide sufficient context
  • j

    Joey

    10/27/2022, 8:22 PM
    conditional implies it could be, if the expression evaluates to true
  • c

    chance

    10/27/2022, 8:22 PM
    So it'd still be a failure?
  • j

    Joey

    10/27/2022, 8:22 PM
    and since we couldn't evaluate it, we don't know
  • c

    chance

    10/27/2022, 8:22 PM
    gotcha.
1...248249250...325Latest