Hello everyone, I'm currently exploring efficient...
# spicedb
Hello everyone, I'm currently exploring efficient ways to implement permission checks using SpiceDB in a Go-based environment and have a couple of questions I’d like to discuss: Library vs. Server for Permission Checks: Using a Go library (lib) or a sidecar for SpiceDB could potentially enhance performance, as it does not require to query a server each time permission checks are required. This approach should reduce computational overhead, especially with the caching mechanism shared directly with the service. Does anyone know if there's a way to limit cache size or overall memory usage in SpiceDB to optimize resource consumption? Furthermore, I'm considering the idea of leveraging each service cluster and its nodes as a distributed SpiceDB cluster. This method could utilize the dispatch model across all types of services, potentially reducing costs and eliminating a single point of failure. Thoughts on this approach? Permission Checks in gRPC for Go: Typically, we use interceptors in middleware to handle permission verifications before a request reaches the handler. However, this might not be ideal with the ReBAC model. Standard permission checks (e.g., UserA can access ListObjects) often fall short, especially when users aren't authorized for specific items within a list. This scenario seems to necessitate permission checks at the handler level. The solutions could be either a precheck to retrieve a list of object IDs from spicedb that a user has access to or a postcheck to filter out inaccessible objects from the list. Is there a standard practice or recommended approach to implementing such permission checks with SpiceDB? I appreciate any insights or experiences you can share regarding these implementations. Thanks in advance!