Hello!
# spicedbr
roarc
03/18/2025, 9:58 AMHello!
I'm currently trying to implement a golang service with gorm(pg)+spicedb for my company.
I saw the examples but I wonder if you could point me to a more complete example that shows how to properly structure a kind of domain driven solution.
My service has a couple of CRUD apis that are JWT authenticated, from the JWT I extract the claims: userID/orgID.
The controllers call their repository and inside of those I call spicedb and gorm.
I need to evaluate if it's worth pushing the relations to the authz layer and see some more advanced patterns on how to handle the consistency of these operations.
v
vroldanbet
03/18/2025, 10:34 AMHi, I'm not sure what you are trying to achieve, what is "properly structure"? are you looking for suggestions of where to put in your application the API calls to spicedb?
r
roarc
03/18/2025, 10:40 AMHi, I'm trying to understand how to use these apis in an idiomatic way, a complete example of a go backend would help to understand. I'm calling spicedb inside the repository that handles the CRUD of an entity. so I call spicedb and then i do the db query. sometimes within transactions.
roarc
03/18/2025, 10:46 AMThe application I'm developing will have nesting of entities such as: advertiser containing pixels. Depending on the user he will have manage/edit/view relations with these entities.
j
Joey
03/18/2025, 11:57 AMwe don't have a full Go app, but happy to send along some examples
v
vroldanbet
03/18/2025, 1:18 PMI'd advice against keeping DB transactions open while waiting on SpiceDB stuff, not gentle towards the DB
vroldanbet
03/18/2025, 1:20 PMAs joey say, we don't have an example. Personally I always advice to come up with some sort of middleware or wrapper that acts "choke point", so that you know it authz checks are never missed when accessing when performing the CRUD operation.
vroldanbet
03/18/2025, 1:20 PManything you do towards making sure an authz check is never missed is a good investment, imo
y
yetitwo
03/18/2025, 2:06 PMi'd also recommend https://authzed.com/docs/spicedb/modeling/protecting-a-list-endpoint and https://authzed.com/blog/the-dual-write-problem for some of the particulars of getting information into and out of SpiceDB
r
roarc
03/18/2025, 3:18 PMok, got it, thanks for the resources 🙂
roarc
03/18/2025, 3:21 PMI'm still trying to understand lots of things. For example the tradeoffs of having relationships in spicedb wrt in postgres. Maybe for simple cases I should keep foreign keys in PG and use spicedb only to have a basic multi tenancy and all the usual authorisation of actions of the users.
v
vroldanbet
03/18/2025, 3:28 PMThere is data you can probably have only live in SpiceDB, but we rarely see that being enough in the long run because there is other type of related data that you want to have and can't store in SpiceDB today. All business data can be eventually used to make authorization decisions, so from my perspective there is no "authz data" vs "non-authz data", but business data that is relevant for authorization decisions. The way I see it in practice is SpiceDB being a projection of the authz-relevant aspects of your data: you write it to your postgres, and you write the relevant bits to SpiceDB too. How you do that falls under the [dual write problem](https://authzed.com/blog/the-dual-write-problem) which @yetitwo wrote about.
6 Views