likely the caveats feature SpiceDB #spicedb

Join Discord

likely the caveats feature

# spicedb

yetitwo

05/14/2024, 1:49 PM

likely the caveats feature

Ian

05/14/2024, 1:51 PM

Hi @yetitwo , thanks. I had looked at the caveats feature, but that seemed to be intended more for conditional relationships, than actually passing in brand new relations. Do you have an example you might be able to share? I found this article, but it's not quite what we need: https://authzed.com/blog/top-three-caveat-use-cases

yetitwo

05/14/2024, 1:52 PM

it wouldn't be represented as a temporary relation - you'd need to rephrase your request in terms of the caveats feature

yetitwo

05/14/2024, 1:52 PM

in spicedb, if you have request-time information that you want to provide, you do it with caveats

Ian

05/14/2024, 1:56 PM

Ok. I'll try to think through how that could work. At first glance, it seems like we'd need to duplicate our auth logic, one eval path for users managed via relations on groups in SpiceDB, and another evaluation path (probably with the union "|" operator) that says if their context has a specific group?

yetitwo

05/14/2024, 1:57 PM

i'm not sure off the top of my head - caveats are one feature i haven't dug into

Joey

05/14/2024, 2:17 PM

if a user has access without condition, writing them directly

Joey

05/14/2024, 2:17 PM

if they have conditional access, write the relationship with a caveat

Ian

05/14/2024, 2:56 PM

Hi Joey, can you explain more? As I understand it, the user's access would not be conditional, they would be a part of their groups present in their token. The difference is I just need to pass in those relationships during the evaluation, since my application won't know about them before receiving the token

Joey

05/14/2024, 3:07 PM

does the token say they are part of a group or is it something other indication?

Ian

05/14/2024, 3:18 PM

Yeah, generally with some of the enterprise IDP's we integrate with, they have a claim in the token that is similar to:

Copy code

"groups": ["group1", "group2"]

So generally, it says they are members of a group or role

Joey

05/14/2024, 3:27 PM

and how would these groups impact the authz decisions?

Joey

05/14/2024, 3:28 PM

how do they link over?

Ian

05/14/2024, 3:31 PM

They would correspond to a

member

relation on a

group

resource in our authorization model. Then permissions would be determined from the groups relation with other resources. You could think of it as well in terms of roles, the claims in the token would represent the roles that have been assigned to the user from the external IDP, so those roles would then have relations with other objects.

Joey

05/14/2024, 3:51 PM

right, but to... what? if the membership of the groups is not contained in SpiceDB, what are you linking to? is it the resource->group?

Ian

05/14/2024, 4:01 PM

I'm not sure I understand your question but let me give an example to see: One of our resources is a

project

, and project would have a relation

owner: group#member

, and permissions would apply to the project resouce based on the members of the

owner

group.

Joey

05/14/2024, 4:01 PM

okay, so it is resource->group

Ian

05/14/2024, 4:03 PM

Yup, it would be resource->group, then group->user, but the group->user comes from the IdP's token. OpenFGA supports this by passing in evaluation-time relationships that are not persisted in the relationship DB. I'm trying to understand what might be a way in SpiceDB to support this workflow

Joey

05/14/2024, 4:04 PM

you'd write a caveat on the member to

user:*

and check the group ID

Joey

05/14/2024, 4:04 PM

Joey

05/14/2024, 4:05 PM

Copy code

caveat has_matching_group_id(group_id string, users_group_ids list<string>) {
  users_group_ids.contains(group_id)
}

definition group {
  relation member: user:* with has_matching_group_id
}

then write a relationship

group:whatever#member@user:*[has_matching_group_id:{"group_id": "whatever"}]

Joey

05/14/2024, 4:05 PM

something like that

Joey

05/14/2024, 4:06 PM

eval-time relationships are "easier", but they would have a negative caching impact

Joey

05/14/2024, 4:06 PM

we've been investigating what it would look like to support it without destroying caching

Joey

05/14/2024, 4:07 PM

but nothing concrete on that yet

Ian

05/14/2024, 4:09 PM

Ok I think I'm understanding now. So this effectively says "make any user a member of group whatever, but only those that have a matching group ID in their context at eval time can use the relationship"?

Joey

05/14/2024, 4:14 PM

basically

Joey

05/14/2024, 4:14 PM

you could also just not have the

group

itself

Joey

05/14/2024, 4:14 PM

and instead do

Joey

05/14/2024, 4:14 PM

Copy code

caveat has_matching_group_id(allowed_group_ids list<string>, users_group_ids list<string>) {
  // ensure the groups have crossover
}

definition project {
  relation viewer: user:* with has_matching_group_id
}

Joey

05/14/2024, 4:15 PM

err, sorry;

project

Joey

05/14/2024, 4:15 PM

I forget the exact function name for intersection of lists

Joey

05/14/2024, 4:16 PM

that would likely be more efficient, if a bit less nice to manage

Ian

05/14/2024, 4:38 PM

Ok that makes sense. Thank you very much for the examples Joey!

94 Views

Previous Next