And that to make pgx works with pgbouncer, some additional connConfig as to be made, like: func TestPgbouncerStatementCacheDescribe(t *testing.T) { connString := os.Getenv("PGX_TEST_PGBOUNCER_CONN_STRING") if connString == "" { t.Skipf("Skipping due to missing environment variable %v", "PGX_TEST_PGBOUNCER_CONN_STRING") } config := mustParseConfig(t, connString) config.DefaultQueryExecMode = pgx.QueryExecModeCacheDescribe // This seems to be important config.DescriptionCacheCapacity = 1024 testPgbouncer(t, config, 10, 100) }

Should I open an issue https://github.com/authzed/spicedb/issues?q=is%3Aissue+is%3Aopen+pgbouncer ?

@poulpi I've ran into that in the past (unrelated to SpiceDB) - can you set your pgbouncer pool mode to

session

?

Team - After I setup the cluster using operator , I was trying to setup apply the example configuration using the following command

kubectl apply -k cockroachdb-tls-ingress/.

And getting the following error :

error: accumulating resources: accumulation err='accumulating resources from 'ingress': '/home/prchowdh/ecommerce/spicedb-operator/examples/cockroachdb-tls-ingress/ingress' must resolve to a file': recursed accumulation of path '/home/prchowdh/ecommerce/spicedb-operator/examples/cockroachdb-tls-ingress/ingress': loading KV pairs: file sources: [tls.crt tls.key]: evalsymlink failure on '/home/prchowdh/ecommerce/spicedb-operator/examples/cockroachdb-tls-ingress/ingress/tls.crt' : lstat /home/prchowdh/ecommerce/spicedb-operator/examples/cockroachdb-tls-ingress/ingress/tls.crt: no such file or directory

Hello Gurus, In lookup Subject API Response, there is array of excludeSubjectIds , what is usecase for this ?

Did you generate certs: https://github.com/authzed/spicedb-operator/tree/main/examples/cockroachdb-tls-ingress#configure-root-ca

I believe this is for when you have concrete exceptions to a wildcard, but @Joey can say for sure, like if you had

(allowed - denied)

and

document:123#allowed@user:*

and

document:123#denied@user:jake

This is super 👌

correct, although

excludedSubjectId

is now deprecated in favor of

excludedSubjects

We're not using it with pgbouncer anywhere, your analysis sounds reasonable, go ahead and file an issue and you can even take a stab at fixing it if you want

How to use excludeSubjects, is there any documentation, I am using REST API

if the found subject is

*

, then excluded subjects will be a list of those subjects to not be included

should just be a list on the returned result

spicedb-operator/examples/cockroachdb-tl...

note that if there aren't any excluded subjects, the list may not appear at all

So even empty list will not be available in response unlike excludeSubjectIds ?

it may not be, no

but if it isn't there, you can assume there are no excluded subjects

Got it, thanks for clarification 👍

Of course!

hey guys i just got the email that you guys are looking for a recent computer science graduate to join the team. here i am 🙂

hey @jbrown - thanks for joining the community! I'll DM you now

sounds good!

besides the log viewable from the terminal or docker logs, where is the "structured logging" residing ?

@Unhinged 👋🏻 SpiceDB logs can only be configured to be emitted either as

console

(human readable form) or

json

for structured logging. You can use

--log-format

to change the logging format.

I have another design question; consider the following schema

definition document {
    relation aaa: group#member
    relation bbb: group#member

    permission ccc = aaa & bbb
}

definition group {
    relation member: user
}

definition user {}

Here users get their permission by the group that they are in. For permission

ccc

then need permissions

aaa

and

bbb

. In this example if a user is part of

group1

which has

aaa

on

document1

and is also part of

group2

which has

bbb

on

document1

then this user has permission

ccc

on

document1

. However, lets say we want permissions to only come from a single group so that a user only has permission

ccc

if they are in a group that has both

aaa

and

bbb

. How do I do this? My naive incorrect approach was this

definition document {
    relation aaa: group
    relation bbb: group

    permission ccc = (aaa & bbb)#member
}

definition group {
    relation member: user
}

definition user {}

but that is (unsurprisingly) syntactically incorrect. What would be a good way to model this, perhaps using auxiliary definitions/relations/permissions? (Note: this is of course simplified from our actual usecase so just merging

aaa

and

bbb

does not work for us)

Hi, if I want to update a relationship, such as change a user's relation from Writer to Reader only, would I have to delete the Writer relation and then create a new Reader relationship tuple? And if so, since WriteRelationshipsRequest (in https://github.com/authzed/authzed-go/) accepts an array of RelationshipUpdates, can I prepend an update with Delete operation before the CREATE operation update? Or would this be considered as an anti-pattern (performing a delete within a request for writing)?

yes, you can do both in the same update

i'm trying to wrap my head around a model that uses a notion of "permission sets" and "roles", where the idea is that you attach a role to a permission set that indicates what a role can do with a particular object, and an object which indicates which thing that role applies to, and then the permission on the object is calculated with the intersection of the role being applied to the object and then the role being attached to a permission set with a specific permission, which would theoretically make the permission sets reusable across a set of roles. this is what i've got so far, but I think i'm missing something important about subject relations: https://play.authzed.com/s/TLKFaZdIAIsr/schema because the graph doesn't look right to me. is there anything obvious that i'm doing correctly or incorrectly?

i guess a more specific question: do subject relations point "up" or "down?"