Expand Permission Tree Subject Relation Expansion SpiceDB #spicedb

Expand Permission Tree Subject Relation Expansion

Will Thornton

11/29/2024, 3:25 PM

A quick question regarding the [Expand Permission Tree](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.ExpandPermissionTree) API. We use computed permission on a

group

definition

permission member = direct_member + owner

as a subject relation ie.

relation test_relation = group#member

and grant relationships to the resource using this. Users can be granted

member

and

owner

.When using the Expand Permission Tree API, it does not further expand through these subject relations. Is this expected behaviour/is there anything we can do to get around this? We would want to expand through this to find all of the users that have

direct_member

owner

to the group, as well as any groups etc. as they form a recursive hierarchy Minimal reproducible example of the behaviour in the thread

Will Thornton

11/29/2024, 3:25 PM

A minimal reproducible example could be the schema

Copy code

definition resource {
  relation test: group#member

  permission test_permission = test

}

definition group {
  relation parent: group
  relation direct_member: user
  relation owner: user

  permission member = owner + direct_member
}

definition user {
}

With the relations

Copy code

group:1#direct_member@user:2
 resource:1#test@group:1#member
 group:1#owner@user:1

When running

zed permission expand test_permission resource:1

, we get

Copy code

resource:1->test_permission
└── union
    └── resource:1->test
        └── group:1->member

Which we would then, to find the users, have to run

zed permission expand member group:1

to give

Copy code

group:1->member
└── union
    ├── group:1->owner
    │   └── user:1
    └── group:1->direct_member
        └── user:2

Will Thornton

11/29/2024, 3:28 PM

We would prefer to avoid having to recursively call this as we have many groups that might have a given permission to a resource, as well as many other resource types that uses similar subject relation behaviour

Joey

11/29/2024, 3:41 PM

yes, this is expected and as-designed behavior

Joey

11/29/2024, 3:41 PM

ExpandPermissionTree explicitly does not recurse on its own

Joey

11/29/2024, 3:41 PM

LookupSubjects is the API that does recursion

Will Thornton

11/29/2024, 3:49 PM

Okay cool, thank you - we were just wondering if there was a convenient way to explain why all of the users might have a given permission over a resource ie. by exposing the graph structure like ExpandPermissionTree. I am aware of the

zed permission check ... --explain

- but wanted to know if was possible in a single call rather than first hitting LookupSubjects and then the

zed permission check ... --explain

command.

Joey

11/29/2024, 4:27 PM

currently, no

Joey

11/29/2024, 4:27 PM

you'd have to run Expand recursively yourself

Will Thornton

11/29/2024, 4:30 PM

Makes sense - thank you Also quick sidebar: is there a specific flag /option you need to enable when running spicedb to make the

--explain

option work

Joey

11/29/2024, 4:36 PM

Will Thornton

11/29/2024, 4:47 PM

Cool thanks

64 Views

Previous Next