spicedb
- j
Joey
11/22/2021, 3:04 AMyou'd define a resource "type" or "class" - j
Joey
11/22/2021, 3:05 AMgrant access to the user on that - j
Joey
11/22/2021, 3:05 AMthen link each resource to its type - j
Joey
11/22/2021, 3:05 AMso something like... - j
Joey
11/22/2021, 3:06 AMdefinition tenant { relation admin: user } definition resourcetype { relation viewer: user } definition resource { relation parent_tenant: tenant relation type: resourcetype relation viewer: user permission view = viewer + type->viewer + parent_tenant->admin } - j
Joey
11/22/2021, 3:06 AMin this example, a user can view if they are (a) a viewer of the particular resource (b) a viewer on the resource's type(s) or (c) an admin on the parent tenant - j
Joey
11/22/2021, 3:06 AMyou might also have a resource type live under a tenant, if they change - t
toby357
11/22/2021, 3:07 AMAhh yes that make sense, thanks will play around - t
toby357
11/22/2021, 3:07 AMMuch appreciate - t
toby357
11/22/2021, 3:07 AMd - j
Joey
11/22/2021, 3:07 AManytime 🙂 - p
phroggyy
11/22/2021, 2:46 PMhere's a question I can't quite wrap my head around sensibly. For some context, I work with recruitment software, so we have "recruitments" and "companies" in this specific case. You can either have inherited permissions (such as "I'm an HR manager for the company"), where a role on the company will grant access to all recruitments, or you can have individually granted permissions. All of this is fine and dandy and works great in a Zanzibar-style system. My question comes to the implemention of listing those recruitments (this goes beyond authz, and is about figuring out authz + business logic). If a given company has 10k recruitments, and one user has access to all (by virtue of being manager on the company, e.g
), and another user has been granted access to 3 distinct recruitments, what's a sensible way to list the recruitments a user has access to? If I want to e.g list 25 records, I can of course retrieve 25, and check if the user can access each individual one, but for the user that has access to 3, it might be that none of the first 25 are accessible, so then I have to retrieve the next 25, for potentially 400 queries. Of course, I can also list a bunch more recruitments and narrow it down, but now I have to deal with a lot of wasted memory. Lastly, I can make my code do multiple checks: 1. Can I "list all recruitments" on the company? 2. If yes, query latest 25 and return ⬛️ 3. Query the authorization database "which recruitments do I have direct access to?" 4. Query the recruitments database, only in certain IDs ⬛️ I feel like I'm missing something in my mental model for this – any advice? I think this seems similar to the question @User answered yesterday on resource type vs specific resource, but I'd love some more clarity on itcompany->manager - j
Jake
11/22/2021, 2:49 PMyou're looking for the "LookupResources" method - j
Jake
11/22/2021, 2:50 PMthat will let you start from a subject, e.g.
, and find all objects of typeuser:phroggyy
that they have a specific permission on, e.g.recruitmentview - j
Jake
11/22/2021, 2:52 PM - p
phroggyy
11/22/2021, 2:54 PM@User how do I approach the scenario above of handling access to both specific recruitments or all recruitments? - p
phroggyy
11/22/2021, 2:54 PMDoes it make sense to go with the "two-step" approach of first checking "can I list all of the resource", and if not check which specific ones? - p
phroggyy
11/22/2021, 2:55 PMOf course, I could query for "show me everything I have access to", but then I have to deal with potentially getting 10k records back which I'd need to handle in the query - j
Jake
11/22/2021, 2:55 PMwhy do you need to distinguish between the two cases? The response type for
is streaming so you can just stop reading when you have enough recruitments for whatever you're trying to doLookupResources - p
phroggyy
11/22/2021, 2:58 PMRight, so for example, if I were to go to "page 12", I'd list all and discard the first "11 pages" worth of records, right? What about search? If we support search to narrow down the result set, what order seems reasonable for that? Search first, get all (potentially thousands) records and check access for the first
?{pageSize} - p
phroggyy
11/22/2021, 2:59 PMSo I need to search within the recruitments I can access - p
phroggyy
11/22/2021, 2:59 PMAgain, this is beyond just the authz part, I'm just trying to put together the mental model of how to work with authz and the primary datastore in an efficient way - j
Jake
11/22/2021, 3:00 PMyep these are all tough questions - p
phroggyy
11/22/2021, 3:00 PMYep, bit open-ended, so more than anything I'm trying to gather perspectives to help us evaluate our options - j
Jake
11/22/2021, 3:00 PMwe've got this proposal and the beginnings of an implementation for making this problem easier: https://github.com/authzed/spicedb/issues/207 - j
Jake
11/22/2021, 3:02 PMTL;DR there is a datastructure called a roaring bitmap that some databases have support for through extensions, and it would be possible to pass that in as a filter on your queries, so then the flow would be: 1) get roaring bitmap of all things that the user has access to 2) query the database/search elasticsearch with my other parameters/filters 3) return the results to the user - j
Jake
11/22/2021, 3:03 PMthis is still highly speculative at this point - j
Jake
11/22/2021, 3:04 PMGoogle has a search index that they use internally built on top of Zanzibar, but they haven't written about it or shared any implementation details with the world yet - p
phroggyy
11/22/2021, 3:06 PM"ACL-aware filtering" is the term I didn't know I was looking for, thank you! - p
phroggyy
11/22/2021, 3:09 PMReally interesting read, thanks for the info, appreciate it. I'm glad to know it's a hard problem to solve at least