https://authzed.com logo
Join Discord
Powered by
yeah, <@!555434285218267146> you're hitting max de...
# spicedb
j
yeah, @User you're hitting max depth:
Copy code
zed validate authzed-download-d0f351.yaml 
Error: max depth exceeded
s
Any idea at a glance what the circular dependency could be?
j
at a glance, no
if you run SpiceDB with --log-level=trace and run a check, it should show which paths its taking
s
I'll try that.
Does that work as a 
SPICEDB_LOG_LEVEL=trace
env var?
Oh... yes it does 😅
j
yep
@User I'll see if I can have the developer API return more info about this
s
So this is the check that causes infinite recursion
Copy code
alto/account:192#advisor@alto/user:492
j
we're going to be adding checks for structural recursion
what does it walk?
s
Not sure... dumping the output one sec
j
looks like user has relation admin: alto#act_as_admin
and that may be going back to user
and then back to admin?
potentially?
s
It definitely does.
Does my relation graph have to be a DAG?
j
based on data, yes
s
yeah that hurts... ha
j
structurally, no, but it does need to do so data wise
s
well... hmm
j
my guess is you have something in there that's causing the data to loop back on itself
s
Well I have a lot of 
self
relations
To define "a user can always upload a document associated with their own account"
j
yeah, that's fine so long as it isn't going back to the same user object recursively
like, its fine on another rel
or permission
s
But yes. "Any admin can impersonate any user"
so
Copy code
user { 
relation admin: alto#act_as_admin 
permission impersonate = admin    
}
j
anyway, I'll see if I can get some better tooling in place for tracking down data cycles
that's fine so long as there isn't a path from 
impersonate
back to itself
should be pretty easy to check though; just comment out the use of it and see if the cycle resolves
s
Copy code
alto {
    relation self: alto
    relation admin: alto/user
    permission act_as_admin = self + admin
}
j
if that admin -> the same user
that would cause it
s
Yep
so if I did like 
impersonate = non_admin->admin
j
yeah
that should work in theory
s
But that doesn't guarantee that I'm 100% loop free
j
no
that's what validation helps with
s
But this helps. I am unstuck and can unroll my loops.
j
sorry for the trouble
we'll endeavor to make the error more prominent
and informative
s
Appreciate that you're so responsive.
BTW I have this in a couple places.
Copy code
permission upload_document = self + admin
Does it make sense to do this to get rid of the recursive self-reference?
Copy code
permission upload_document = self + (admin - self)
Or will that only exclude 
self
from 
admin
after fully traversing 
admin
which it won't do because it's a loop?
j
won't work if it cycles
yeah
plus, if/when we do expression simplification, that would just become 
admin
s
I wasn't expecting to ever use graph theory when they made me take it in undergrad 22 years ago
j
heheh
2 Views
PreviousNext
Powered by