> roles being assigned to a specific object id can you expan SpiceDB #zanzibar

Join Discord

roles being assigned to a specific object id can y...

# zanzibar

Joey

09/16/2022, 5:03 PM

> roles being assigned to a specific object id can you expand on that?

raffaelespazzoli

09/16/2022, 5:06 PM

this is the model I'm playing with, but it does not work

Copy code

definition user {}

    definition group {
        relation member: user | group#member
        relation assigned_to: location
    }
    
    definition role {
        relation membership: group#member
    }
    
    definition thing {
        relation group: group
        relation viewer: role#membership
        permission view: viewer + group
    }

Joey

09/16/2022, 5:08 PM

relation group: group

is going to terminate at the group

Joey

09/16/2022, 5:08 PM

so you either need to store

group#member

there or have

view = viewer + group->member

Joey

09/16/2022, 5:08 PM

but I think you wanted it to be both viewer and a group member

Joey

09/16/2022, 5:09 PM

which would make it

view = viewer & group->member

raffaelespazzoli

09/16/2022, 5:14 PM

Copy code

schema: |-
  definition user {}
  
  definition group {
      relation member: user | group#member
      relation assigned_to: location
  }
  
  definition role {
      relation membership: group#member
  }
  
  definition thing {
      relation group: group
      relation viewer: role#membership
      permission view: viewer & group
      relation creator: role#membership
      permission create: (creator + viewer) & group  
  }
  
relationships: |-
  group:managers#member@user:jane
  group:clerks#member@user:mary
  
  role:manager#membership@group:managers#member
  role:clerk#membership@group:clerks#member
  
  thing:*#viewer@role:clerk
  thing:*#creator@role:manager


assertions:
  assertTrue: [
    thing:thing1#view@user:jane,
    thing:thing1#view@user:mary,
    thing:thing1#create@user:jane,
  ]
  assertFalse: [
    thing:thing1#create@user:mary,
  ]
validation: {}

like this?

Joey

09/16/2022, 5:15 PM

permissions need to use a

Joey

09/16/2022, 5:15 PM

relation group: group

Joey

09/16/2022, 5:15 PM

and that would need to be

relation group: group#member

Joey

09/16/2022, 5:15 PM

Joey

09/16/2022, 5:15 PM

permission create = (creator + viewer) & group->member

raffaelespazzoli

09/16/2022, 5:21 PM

ok here it is, this passes:

Copy code

schema: |-
  definition user {}
  
  definition group {
      relation member: user | group#member
  }
  
  definition role {
      relation membership: group#member
  }
  
  definition thing {
      relation group: group#member
      relation viewer: role#membership
      relation creator: role#membership
      permission view = viewer & group -> member
      permission create = (creator + viewer) & group -> member 
  }

relationships: |-
  group:managers#member@user:jane
  group:clerks#member@user:mary
  
  role:manager#membership@group:managers#member
  role:clerk#membership@group:clerks#member
  
  thing:*#viewer@role:clerk
  thing:*#creator@role:manager


assertions:
  assertTrue: [
    thing:thing1#view@user:jane,
    thing:thing1#view@user:mary,
    thing:thing1#create@user:jane,
  ]
  assertFalse: [
    thing:thing1#create@user:mary,
  ]
validation: {}

but I feel there is something wrong as I never assigned any group to thing1 and yet the assertions work

Joey

09/16/2022, 5:21 PM

Copy code

thing:*#viewer@role:clerk
  thing:*#creator@role:manager

Joey

09/16/2022, 5:21 PM

that's not valid

raffaelespazzoli

09/16/2022, 5:23 PM

ok, that's what I need to make the role generic and not assigned to a specific thing. the playground does not complain about it though....

Joey

09/16/2022, 5:23 PM

I'll file a bug to make sure it does

Joey

09/16/2022, 5:23 PM

just use a name

Joey

09/16/2022, 5:23 PM

thing:whatever

Joey

09/16/2022, 5:25 PM

yeah

Joey

09/16/2022, 5:25 PM

playground isn't processing it

Joey

09/16/2022, 5:25 PM

because its raising an error

Joey

09/16/2022, 5:25 PM

I'll make that more explicit

raffaelespazzoli

09/16/2022, 5:44 PM

I don't want it to mean thing:whatever, I want it to mean all the things...

Joey

09/16/2022, 5:45 PM

you cannot assign relationships to entire definitions of resources

Joey

09/16/2022, 5:46 PM

https://github.com/authzed/spicedb/issues/346 is an issue discussing it, but its not something we've committed to supporting yet

Joey

09/16/2022, 5:46 PM

it comes with many complications

raffaelespazzoli

09/16/2022, 5:48 PM

so wildcards work only on subjects?

Joey

09/16/2022, 5:51 PM

yes

Joey

09/16/2022, 5:51 PM

currently

Joey

09/16/2022, 5:51 PM

the current recommendation is to just connect each

thing

Bryan

09/16/2022, 6:03 PM

I'm not sure if this is going to helpful, but going to toss it out there in case it is! This is roughly how I modeled roles: https://play.authzed.com/s/WrQiSLQJ9H-V/schema.

Joey

09/16/2022, 6:05 PM

thanks @Bryan!

raffaelespazzoli

09/16/2022, 6:24 PM

@Bryan thanks for sharing your model. I'll give it a try.

4 Views

Previous Next