Hi 👋 I noticed there is CLA and DCO in your repositories, which one should I use if I want to contribute? Are you moving from one to another?

Hi, I'm investigating whether spiceDB would be good for our use case and have some questions, a few high-level, and a few low-level, I hope this is the correct place. First off, do you have any data on scaling available? I was planning on running some basic benchmarks but something that would be good to know is how complex relationship hierarchies affect query-times. Something that I was planning on testing is, if we have a user with let's say 5 different ways of reaching a given resource with each nesting once, think user -> group -> resource, and user -> api-key -> resource, etc. With the user in total having access to 10 000 000 unique resources and only one of the ways reach the resource with the given permission required (think all others giving 'read' and only one giving 'write' and we're querying for write), would that give a reasonable query time, where reasonable being at most about 500ms but pereferably less. Assuming single instance postgres as backing. And more to some detail, we're writing the integration in rust so we had to get a hold of the protos, I looked for them in the repo but some I couldn't find and had to pull them from here https://buf.build/authzed/api/tree/main:authzed/api/v1 I was surprised that the *_service.proto files arent easy found in the github source while some of the others are. But I'm not that familiar with go toolchains and this way of distributing protos so it might just be some stupid misunderstanding of how this is managed on my part. What's the preferred way to get client protos?

Lastly some detail, I'm looking at caveats. We have some contextual data that should not be stored to prevent data duplication/desync, caveats seem like a good way to provide that data, so I have some schema that I'm experimenting with that looks like this:

definition user {}

definition organization {
  relation member: user
  relation admin: user

  permission read_any_module = member + admin
  permission edit_any_module = admin
}

definition module {
  relation creator: user
  relation owner: organization
  relation sudo: user:* with escape_hatch

  permission read = sudo + creator + owner->read_any_module
  permission edit = sudo + creator + owner->edit_any_module
}
/** disregard using a string thats actually a bool when bool is a datatype, it's just messing around, ideally we'd be able to have a no-arg caveat here, like escape_hatch() but that doesn't parse right **/
caveat escape_hatch(open string) {
  open == "true"
}

What we'd like to achieve is that any user can access any resource if the context is provided, but since we can't wildcard resources we have to create a relationship with every module that specifically maps a wildcard user with escape_hatch to sudo. We don't have to do data-duplication so it's workable, but it isn't very economical in terms of data-storage. Is there a better way to achieve a similar setup?

CLA or DCO

Hi, is it possible to get all relations of a particular kind. Say I want to delete a certain schema definition, then i need to clear all relevant relatios first, which makes sense! But can I ask SpiceDB to get all relevant relations without knowing all ressources involved beforehand. Its a kind of expected relation but only on type ? I later solved it by making a more open deleteresponse only consisting of ressourcetype, subjecttype and relation, which then removed all relevant relations 🙂

Regarding performance, then i did a local test, all on same machine, so no network involved, using vanilla postgres, on a 5 mill relations data set. I got the same performace regardless of 100.000 or 5 mill entries in spiceDB, so a runtime complexity almost at O(k), which is very good. My particulars was 6ms pr write relation and 0,5 ms pr random read all across the data set. I noticed that the first 20.000 continuous writes was/is halv the execution time at 3ms pr write, is seem that is somehow buffers write to a certain extend then adds some processing time after that.

Oh excellent, thanks for the response!

Hi is it possible to get all relations

thanks for sharing!

Hi I m investigating whether spiceDB

Lastly some detail I m looking at

Hi all! I'm a part of the flowcode team and looking for some guidance on the different ways we can leverage authzed in our system. Currently working on a project that allows users to search across objects that they have access to within their org. Initially the thought was to reach out to authzed for each object_id and check access however that was too slow. Then we switched to running all the requests ("does bob have access to foo") concurrently which helped, but wondering if there are other strategies for bulk checking built into authzed? Thanks!

Take a look at the lookup resources API; further improvements will be tracked in https://github.com/authzed/spicedb/issues/207

Hi everybody ! I'm trying to implement test using pytest and specially creating a mock client. I wish to avoid using serve-testing. Is it possible ? If it is, is there an example for this ? As the flask realworld example seems outdated.

Hi everybody I m trying to implement

Testcontainers test using go: Problem with setup

Hello everyone! I have one issue with migration from v1.12 to v1.16. Lookup resources doesn't work after migration. I get only old resources that I have linked before migration. If I create relationships, I don't get new resources. Is this known issue or better to do new issue on github? Can anybody help me?

have you fully rolled out 1.16?

Yes, I've updated docker images to 1.16 and run "migrate head". The migration has executed successfully. Is it necessary to do something else?

shouldn't be; no

what datastore type are you using?

I'm trying to implement pagination on resources a user has permission for by first using LookupResources using an offset and a limit to filter the resource IDs before querying mysql with those IDs. Is that a sound implementation? because every time a new page is requested we go through all the resources, the LookupResources doesn't allow for filtering in spicedb itself

it really depends on the size of your LR response; if it gets too large, then it could slow down for later pages

is there a recommended way/ways of doing pagination with spiciedb?

using LookupResources, no. We're currently investigating solutions that would allow for pre-joining against existing databases: https://github.com/authzed/spicedb/issues/207

ok, thank you

in my experience, showing a user a paginated list of everything they have access to becomes unusable after a few pages anyway

they'll almost always want to filter by a query, or another factor

so would it be best to check the permission on each of the resources after getting the resources, instead of looking up all the resource IDs they have permission for first?

so we can use mysql LIMIT and OFFSET and some other filters before querying spicedb