spicedb
- v
vroldanbet
02/09/2023, 4:46 PMI think we don't have documentation specifically for the go client, but there are a bunch of examples in the repos readme https://github.com/authzed/authzed-go and also in our "first app" documentation, you can choose "Go" as language of choice: https://authzed.com/docs/guides/first-app - d
DharsanB
02/09/2023, 5:45 PMCool I'm trying to read users with a permission. But ReadRelationships Recv() receiver currently gets responses one by one. I'm trying to get all the users in one go - d
DharsanB
02/09/2023, 5:45 PMIs it possible? - j
Joey
02/09/2023, 6:00 PMUse
. If you want a good example of using the go lib, theResp
client source code is a good place: https://github.com/authzed/zed/blob/main/internal/commands/relationship.go#L222zed - d
DharsanB
02/09/2023, 6:01 PMAwesome Thank you - d
DharsanB
02/09/2023, 6:20 PMWorks - f
fierro
02/09/2023, 6:46 PMyeah sure! - f
fierro
02/09/2023, 7:08 PMso just for my understanding,
is the concrete example of therole_binding:jake_is_reader#user@user:jake role_binding:jake_is_reader#user@user:mitch
model failing to enforce that "single principle for a role binding" constraint (even though you can still achieve the same outcome by binding users to roles, as in GCP, via individual role binding relations per user lol)role_binding - j
Jake
02/09/2023, 7:34 PMIt's not about "enforcing" anything, it's just about modeling what's actually there, in GCP IAM you can't say, "jake and joey are reader and writer on instance 1", you can only say "jake is reader and writer on instance 1" and then "joey is reader and writer on instance 1" - f
fierro
02/09/2023, 7:57 PMack makes sense, "enforce" is the wrong word, I meant "adhere to GCP modeling" - d
dguhr-rh
02/09/2023, 8:02 PMa may-be weird thought just popped up and happy for your input, dunno what triggered it: I think one can think of relations as "write model", and of permissions as "read model" (ref: CQRS), right? we're checking for permissions, so we're looking at a projection of one or more relations. so relations are the write model, and the read model a.k.a. permission is the projection. does that make any sense? (late here 😉 ) - f
fierro
02/09/2023, 8:05 PMI liked this framing from the docs
So seems like thinking of permissions as a projection of relationships isn't far off.Relations define how objects can relate to other objects. Permissions are how we interpret relations to make access control decisions - d
dguhr-rh
02/09/2023, 8:35 PMok so I didn't go totally nuts 😉 thanks for the feedback! - f
fierro
02/09/2023, 11:28 PM@Jake is there a simple way you would characterize the difference in modeling decisions between the GCP iam role example and the older user-defined roles example ->https://authzed.com/blog/user-defined-roles/ - j
Jake
02/09/2023, 11:39 PMThe way the role object abstracts out the permissions from the specific objects they may or may not apply to. - s
soap_work
02/10/2023, 12:07 AMHi folks - hopefully a quick one. The syntax highlighting that the playground uses - is that available anyplace for use in regular vs code? - j
Joey
02/10/2023, 2:50 AMnot currently, but the basic highlighting is fairly simple. the complexity comes in when it does semantic highlighting, which the playground does as well - j
Joey
02/10/2023, 2:50 AMwe have plans to bundle into a VSCode extension at some point - s
Sjaak
02/10/2023, 5:07 AMHey guys, we had an issue on production with SpiceDB that caused garbage collection not to run for over a week. Due to other issues obfuscating it, we only realized late in the game that this was the root cause. Now we need to effectively clear out any of the old data, but the GC is timing out due to the volume. Is it possible to run GC manually? What does the deleted_xid column represent, when is data safe to delete? - j
Joey
02/10/2023, 6:00 AMrecent releases have a command to run GC directly via the CLI, but if it is timing out already, it likely has the same issue (since its the same code) - j
Joey
02/10/2023, 6:01 AMwhich statement is timing out? - j
Joey
02/10/2023, 6:01 AM
is the transaction ID of when the relationship was deleted; it will be a non-max-int if the relationship was deleteddeleted_xid - j
Joey
02/10/2023, 6:02 AMalso, was the issue on your end or something in SpiceDB? - s
Sjaak
02/10/2023, 6:02 AMThe error we're seeing is this: {"level":"warn","error":"timeout: context deadline exceeded","next-attempt-in":218420.667274,"time":"2023-02-10T06:00:29Z","message":"error attempting to perform garbage collection"} So effectively anything < 9223372036854775807 should be safe to delete? - j
Joey
02/10/2023, 6:03 AMsafe in the sense that it isn't relevant to data processing normally, yes. but it could cause problems with "in progress" check requests on older revisions - j
Joey
02/10/2023, 6:04 AMgranted, only for a few seconds - s
Sjaak
02/10/2023, 6:04 AMThe migration of the SpiceDB datastore was one version behind, an error was being logged to the console about the GC not running but it wasn't immediately clear that the migrations were the problem - j
Joey
02/10/2023, 6:04 AMah - j
Joey
02/10/2023, 6:04 AMwe also do export metrics on GC runs - j
Joey
02/10/2023, 6:04 AMin Prometheus