844600078504951838 #spicedb

Channels

dsieczko

11/23/2022, 5:43 PM

That’s interesting - it’s come up before. @jzelinskie would we potentially track something like this in a separate repo?

yetitwo

11/23/2022, 5:53 PM

my team is talking about implementing a connector for our audit system and we were kicking around the idea of contributing it upstream if there was interest

yetitwo

11/23/2022, 5:53 PM

we're also a clojure shop - do you have a preference on implementation in clojure vs java?

vroldanbet

11/23/2022, 5:59 PM

I guess if with "contributing it upstream" you mean donating the repository, and we had to mantain it, java may be something we could maintain since we have some experience with the language and ecosystem. That something we'd have to discuss as a team because there is so much we can commit to maintain. An alternative model is you maintain it and we list it in the awesome spicedb repository https://github.com/authzed/awesome-spicedb

yetitwo

11/23/2022, 6:02 PM

that makes sense. i'll keep y'all apprised.

vroldanbet

11/23/2022, 6:03 PM

thanks for volunteering to contribute to the project! ✨

jzelinskie

11/23/2022, 6:34 PM

@yetitwo are y'all using debezium?

yetitwo

11/23/2022, 6:53 PM

yeah, we're using it for other functionality

RobertM

11/24/2022, 2:26 AM

Hi! Sorry, did you have a chance to talk to operator experts?

Joey

11/24/2022, 2:27 AM

Right now a secret is required but we’ll file an issue to allow other means of configuration

RobertM

11/24/2022, 2:28 AM

Thank you!

Joey

11/24/2022, 2:28 AM

What specifically would you like to configure using env vars?

Yansong

11/24/2022, 3:34 AM

hi guys sorry to disturb you. i have one trouble during use spiceDB. i will very appreciate it if anyone can help on it. my question is how can i specify explict role for user, and make objects available for the role? for example, there are several role: 1. dev 2. project_manager 3. admin dev can see the codebase, project_manager can see the schedule and admin can see both. how shuold i draft it as zed schema? is this true?

definition user {}

definition role {
    relation project_manager: user
    relation dev: user
    relation admin: user
}

definition codebase {
    relation member: role#dev | role#admin

    permission view = member
}

definition schedule {
    relation member: role#project_manager | role#admin

    permission view = member
}

it looks weird...

RobertM

11/24/2022, 3:44 AM

I just think we could have more flexible way of passing credentials and datastore host. Currently I have host, user and password stored in another secret (generated by another operator). I wished there was a way to reuse this by the operator, either by passing them as env variables or being able to point at them so operator could build datastore_uri itself. When writing deployment on my own I could write something like

- name: PG_USER
              valueFrom:
                secretKeyRef:
                  name: pguser-credentials-secret
                  key: user
- name: PG_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: pguser-credentials-secret
                  key: password
- name: PG_HOST
              valueFrom:
                secretKeyRef:
                  name: pguser-credentials-secret
                  key: host
- name: "SPICEDB_DATASTORE_CONN_URI"
              value: postgres://$(PG_USER):$(PG_PASSWORD)@$(PG_HOST):5432/spicedb

Yansong

11/24/2022, 3:54 AM

oh i found this article: https://authzed.com/blog/user-defined-roles/ it is good enough thx

Joey

11/24/2022, 4:24 AM

https://github.com/authzed/spicedb-operator/blob/f98d9ac5dc903ea1678f2df723261ee779dcc31c/pkg/config/config.go#L46 defines the config that can be specified, but I think you can use

passthrough

to give the otherwise defined config

Joey

11/24/2022, 4:24 AM

but I think the datastore still needs to be referenced from a secret

Joey

11/24/2022, 4:25 AM

that's a workable approach, yes. you could also define the permissions on the role itself and then use an arrow to those permissions too

Yansong

11/24/2022, 4:28 AM

then what will id of role be? one auto-incremental integer? 🤔 i think the role is more like one list of attributes, which make me so confused

Yansong

11/24/2022, 4:29 AM

BTW thank you so much for your reply!

Joey

11/24/2022, 4:33 AM

if you intend roles to be shared, you'd give them unique IDs

Joey

11/24/2022, 4:33 AM

otherwise, if you're just going to be assigning single users, you don't need the

role

type

Yansong

11/24/2022, 4:35 AM

got it! let me have one try. thank you so much !

Yansong

11/24/2022, 7:55 AM

definition user {}

definition group {
    /**
     * member can include both users and *the set of members* of other specific groups.
     */
    relation member: user | group#member
}

Yansong

11/24/2022, 7:56 AM

hi sorry to disturb you guys. may i know the difference between

relation member: user | group#member

and

relation member: user | group

? i am a little bit confused by the doc

vroldanbet

11/24/2022, 8:21 AM

group#member

makes references to the

member

relation in

group

. So instead of pointing to the group (by using

group

), you are pointing to the members of an specific group.

Yansong

11/24/2022, 8:23 AM

but when we create relationships, we still only pass the group id, doesn't it?

Yansong

11/24/2022, 8:24 AM

so the real difference is if we use the relation as permission, whether we check group id or check user id

Yansong

11/24/2022, 8:24 AM

am i wrong?

vroldanbet

11/24/2022, 8:35 AM

when you write the relationship, i'd look like: -

group:1#member@user:1

group:1#member@group:2#member