What types of authorization checks can I do with S...
# spicedbc
CasperT
12/12/2023, 8:04 AMI am a bit unsure, is SpiceDb meant to lookup the relations, or only return the permission definitions. I am asking because my co worker, says SpiceDb is not meant lookup the actual relation between subject and resource.
v
vroldanbet
12/12/2023, 8:16 AMI'm not sure what you mean with "lookup" here. If what you mean is whether SpiceDB allows you to read relationships back, then yes, there is an API for this:
ReadRelationshipsReadRelationshipsc
CasperT
12/12/2023, 8:20 AMWould I be able to get the same results, as I get from the expected relations in playground. If yes, then I can use SpiceDb to tell exactly what resources a subject can access.
b
brentpi_35990
12/12/2023, 8:22 AMYes; I use the playground as a development testbed for all my stuff and it's accurate to what I see from SpiceDB regularly.
c
CasperT
12/12/2023, 8:22 AMThanks a lot 🙂
b
brentpi_35990
12/12/2023, 8:22 AMOf the zanzibar-esque permissioning systems, SDB is the best one in my opinion.
c
CasperT
12/12/2023, 8:23 AMSorry for my in experience, but is SDB
b
brentpi_35990
12/12/2023, 8:23 AMSpiceDB
c
CasperT
12/12/2023, 8:23 AMAhhhh 😄
b
brentpi_35990
12/12/2023, 8:24 AMI looked at all the other options such as Ory Keto, etc prior to SpiceDB and Spice seemed to be the only one that did everything that I needed it to do - but the learning curve was a bit steep initially (this was about a year ago now) - it's definitely changed since then.
brentpi_35990
12/12/2023, 8:25 AMI have a lot of nested/recursive relations, and it's hard to find a system that handles those /well/.
v
vroldanbet
12/12/2023, 8:28 AM@CasperT everything you can do in the authzed playground you can do with SpiceDB. If you are using it, your browser is in fact running a WASM version of SpiceDB, so it's the real deal 😃
vroldanbet
12/12/2023, 8:28 AM@brentpi_35990 thanks for sharing! I'm biased but I agree 😉
vroldanbet
12/12/2023, 8:33 AMFYI what the "expected relations" tab in the UI is using is the Expand API: https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.ExpandPermissionTree
c
CasperT
12/12/2023, 9:13 AMSo the intended use of spicedb is to actually expand the permission tree, to get the precise access to resources, based on relation and permissions?
v
vroldanbet
12/12/2023, 10:34 AMI don't think you can say "the intended use of spicedb" is that. It's one of the many exposed APIs SpiceDB has. I think the most used API is
PermissionCheckb
brentpi_35990
12/12/2023, 12:43 PM@CasperT the questions you can generally answer:
- does X subject have Y permission on Z item (CheckPermission)
- which subjects (ie: users) have a certain permission over a certain resource (ie: 'post')
- which resources of a particular type that a certain subject has a particular permission over (I use this to populate 'IN' statements for SQL queries, as one example)
- list all relationships on a particular object (note: not 'permissions'; but 'relations' - permissions are computed and relations are stored)
amongst many other things. Those are my top 4 use cases
2 Views