but you won't hear any complaints from me if it isn't feasible! i used to contribute to a programming language and i remember how impactful seemingly small changes like that can be to a system

is there any way to administer the share urls created in the playground? i'd like to delete one - i ultimately do not want the contents to be available from a public url

currently, no, they are considered a shared secret - if you know the URL, you can access it

we do provide a download/upload mechanism, but that also does a share as part of the process

I can investigate changing that tomorrow to only create the file locally, if you want to share out of band with someone

@User do you need us to delete one?

Yes, thank you!

DM me the URL

Hey folks 👋🏻 One of the questions I had written down and meant to ask a while ago was expectations around ordering of results in LookUp / Expand API calls. As you note in the blog post, filtering is mostly used in index-like pages that list authorized resources. Such pages also tend to have various ordering criterias for the list rendered to the user. Some examples: - github's user repo page: https://github.com/?tab=repositories - githubs organization repo page: https://github.com/orgs/github/repositories Im wondering: - are there any ordering guarantees in Lookup/Expand API results? - how can an application order by other criterials without loading the full result set in memory?

there are no guarantees in ordering and the expectation is that if ordering is required, Tiger cache will be the solution (e.g. you'll load the roaring bitmap and use that on a filter on a call that does the ordering on your side)

this is because the metadata used for ordering could really be anything, and is generally not stored as relationships in SpiceDB

got it, after reading the Tiger API issue it makes a lot of sense to handle ordering once that building block is in place 👍🏻.

Do I get right that y'all are planning to architect that as separate backend services from the SpiceDB process?

yeah

it'll use the Lookup Watch API (I forget the new name for it), and then store the results in roaring tiger bitmap format

the plan, however, is to provide the API through SpiceDB

Hey Guys, I am using this schema... My usecase is I want owner of the organization to be the member of the namespace only. How should I model it, any idea? 🙂

definition user {}

definition namespace {
    relation owner: user
    relation member: user
    permission is_ns_member = owner + member
}

definition organization {
    relation namespace: namespace
    relation owner: user
    permission is_org_member = owner + namespace->is_ns_member
}

@babycobra what do you mean by “member of the namespace only”? Do you mean the user needs to be both owner and member of the namespace?

If you need to meet two (or more) conditions, the intersection operator (‘&’) can be used. We’ll also take a look again in the morning if/when we get clarification on your use case

My users are global, and user can belong to multiple namespaces, and as my organization belongs to a unique namespace, so I want only the user belonging to the same namespace, can be the owner and member of that organization.

I hope I made my usecase clear.

gotcha. so there are two options readily available: (1) enforce on your side that the user(s) set as owner are part of the namespace or (b) have

permission is_org_member = owner & namespace->is_ns_member

which will only contain users that are both

owner

and a member of the namespace.

does anyone know, has google published much information about how zanzibar is used from the perspective of a client? the original paper of course focuses on the system itself but it would be really useful and interesting to know about the experience of using it

unfortunately there's nothing

a lot of the innovation we're doing (e.g. the schema language) is built into that blank space

and we're always looking for suggestions/ideas/feedback

apologies for retreading something i already brought up just a few days ago in here, but the main thing i'm struggling with is best practices for keeping spicedb in sync with the main data model. whether it's a tool you could actually run or documentation about what works best i think something there would be excellent

@User at this moment in time, the recommendation is to commit to SpiceDB and then commit to your DB and, if SpiceDB write fails (for whatever reason), rollback the DB changes without commit

we can put together a doc about it

but in very rough pseudo-code (using Python as an example):

with db_transaction() as transaction:
    # Write to the DB in the transaction
    ...

    # Write to SpiceDB
    try:
      resp = authzed_client.v1.WriteRelationships(....)
      # Store the zedtoken returned in `resp` on the resource being modified in the DB
    except:
       transaction.rollback()
    finally:
       transaction.commit()