hello) i have a question about SpiceDB #spicedb

hello) i have a question about

Yaroslav

06/28/2024, 7:40 AM

hello) i have a question about LookupResources request. I have definition project and user, user can be owner ,commenter, editor. User with each this relation can_view project. I want to get all user projects which user can_view but user is not owner. As i see i can not set in request:

"permission": "can_view - owner"

because of validation and i don`t want to send 2 requests with filter by role (commenter, editor) should i send 2 requests for each role, or can i filter it in request? thanks)

vroldanbet

06/28/2024, 7:45 AM

have you considered creating a new permission

permission can_view_minus_owner = can_view - owner

and run LookupResources over that? Sharing your schema would help

Yaroslav

06/28/2024, 7:48 AM

i thought about permission

can_view_minus_owner = can_view - owner

but i have a lot of items in my db If I add this relation, it won't load the postgres too much?

Yaroslav

06/28/2024, 7:49 AM

Copy code

definition project {
    relation owner: user
    relation parent: folder
    relation viewer: user | link | group
    relation editor: user | link | group
    relation commenter: user | link | group
    relation signer: user
    relation filler: user
    relation restricted_owner: user 
    permission can_view = viewer + can_edit + viewer->membership + parent + parent->can_view + can_fill + can_comment + can_sign + restricted_owner
    permission can_edit = editor + editor->membership + parent + parent->can_edit + can_all - restricted_owner
    permission can_sign = signer + can_fill
    permission can_fill = filler
    permission can_all = owner - restricted_owner
    permission can_comment = commenter + can_edit + parent + parent->can_comment + commenter->membership
    permission has_access = can_view
}

vroldanbet

06/28/2024, 7:52 AM

>If I add this relation, it won't load the postgres too much? it's a

LookupResources

. It will have to load much anyway. Just make sure to use cursors and low page size.

Yaroslav

06/28/2024, 8:01 AM

so, i will add this permission

Yaroslav

06/28/2024, 8:01 AM

thanks

Yaroslav

06/28/2024, 8:15 AM

@vroldanbet , if i will add new permission, will spice db "reindex" all data?

vroldanbet

06/28/2024, 8:46 AM

there is no reindexing to be made. Permissions are computed, nothing has to be written to the database other than the schema definition. I think there may be a misunderstanding on how SpiceDB works.

Yaroslav

06/28/2024, 1:54 PM

i just tried limit/cursor options) and i see that spice db CPU memory graffic is better, but cursor/limit loaded posgress cpu more) i tested on subject with 12k objects

Yaroslav

06/28/2024, 1:58 PM

@vroldanbet ⬆️

vroldanbet

06/28/2024, 2:00 PM

Yep, expected

Yaroslav

06/28/2024, 2:00 PM

and i see that logic with cursor loaded spiceDB memory for short period. without cursor - for long) https://cdn.discordapp.com/attachments/1256152217941970946/1256247961244143626/Screenshot_2024-06-28_at_15.59.22.png?ex=66801395&is=667ec215&hm=d58c6925efeb961aec61c1702762c38d093cf63ba3b2e0668abb01064521b3d3&

vroldanbet

06/28/2024, 2:09 PM

Makes sense. There are changes coming soon to lookup resources which we hope will reduce memory further

4 Views

Previous Next