you need to shut down the other SpiceDB running on the machi SpiceDB #spicedb

Join Discord

you need to shut down the other SpiceDB running on...

# spicedb

Joey

11/21/2022, 6:31 PM

you need to shut down the other SpiceDB running on the machine first

Singha1

11/21/2022, 6:48 PM

bcb84b1ed9d2 docker.repo1.uhc.com/authzed/spicedb:latest "spicedb serve" 10 days ago Up 6 seconds 0.0.0.0:8443->8443/tcp, 0.0.0.0:9090->9090/tcp, 0.0.0.0:50051->50051/tcp

Singha1

11/21/2022, 6:48 PM

If I shut down the server, it won't even recognize the spicedb command

Joey

11/21/2022, 6:49 PM

what do you mean?

Singha1

11/21/2022, 6:50 PM

I mean if I stop the docker container

Joey

11/21/2022, 6:51 PM

you should stop and remove the container

Joey

11/21/2022, 6:51 PM

and replace it with the one with the updated argument(s)

Singha1

11/21/2022, 6:52 PM

got it

Singha1

11/21/2022, 6:57 PM

In docker compose below are the details I have

Singha1

11/21/2022, 6:57 PM

authorization-spicedb: container_name: authorization-spicedb image: docker.repo1.uhc.com/authzed/spicedb:latest command: "serve" ports: - "8443:8443" - "50051:50051" - "9090:9090" environment: SPICEDB_LOG_LEVEL: "debug" SPICEDB_HTTP_ENABLED: "true" SPICEDB_GRPC_SHUTDOWN_GRACE_PERIOD: "5s" SPICEDB_GRPC_PRESHARED_KEY: "localsecret" SPICEDB_DATASTORE_ENGINE: "postgres" SPICEDB_DATASTORE_CONN_URI: "postgres://spicedb_user:spicedb_password@authorization-spicedb-database:5432/spicedb?sslmode=disable" depends_on: authorization-spicedb-database: condition: service_healthy networks: - authorization-network

Singha1

11/21/2022, 6:57 PM

Where those arguments should be added?

Singha1

11/21/2022, 6:58 PM

I think I got it

Singha1

11/21/2022, 6:58 PM

SPICEDB_EXPERIMENT_ENABLE_CAVEATS=true spicedb serve …

Singha1

11/21/2022, 6:59 PM

similar to others

Joey

11/21/2022, 6:59 PM

yes

Singha1

11/21/2022, 7:00 PM

Added environment like this

Singha1

11/21/2022, 7:00 PM

environment: SPICEDB_EXPERIMENT_ENABLE_CAVEATS: true spicedb serve … SPICEDB_LOG_LEVEL: "debug" SPICEDB_HTTP_ENABLED: "true" SPICEDB_GRPC_SHUTDOWN_GRACE_PERIOD: "5s" SPICEDB_GRPC_PRESHARED_KEY: "localsecret" SPICEDB_DATASTORE_ENGINE: "postgres" SPICEDB_DATASTORE_CONN_URI:

Joey

11/21/2022, 7:05 PM

just

true

on the enable caveats

Joey

11/21/2022, 7:05 PM

SPICEDB_EXPERIMENT_ENABLE_CAVEATS: true

Singha1

11/21/2022, 7:07 PM

oh sure , that was type mistake

Singha1

11/21/2022, 7:07 PM

thanks

Singha1

11/21/2022, 7:11 PM

Got it working 🙂

Singha1

11/21/2022, 7:12 PM

able to create policy like this

Singha1

11/21/2022, 7:12 PM

definition user {} definition attribute { relation haver: user } caveat only_on_tuesday(day_of_week string) { day_of_week == "tuesday" } definition document { relation shared_with: user | user with only_on_tuesday relation required_admin_attrs: attribute permission admin = shared_with & required_admin_attrs->haver }

Joey

11/21/2022, 7:13 PM

no need for the attribute stuff but yeah 🙂

Singha1

11/21/2022, 7:14 PM

Do you have Rest API examples for Caveats

Joey

11/21/2022, 7:15 PM

I do not

Joey

11/21/2022, 7:15 PM

but it should be a fairly straightforward conversion from gRPC

Singha1

11/21/2022, 7:47 PM

Yes it worked,

Singha1

11/21/2022, 7:47 PM

Thanks a ton !!!!

Singha1

11/21/2022, 7:51 PM

"OptionalCaveat": { "CaveatName": "ip_allowlist", "Context": { "cidr": "1.2.3.0" } } }

Singha1

11/21/2022, 7:51 PM

I wrote this in caveat

Singha1

11/21/2022, 7:51 PM

and Passing this check request

Singha1

11/21/2022, 7:51 PM

, "Context": { "cidr": "7.2.3.0" }

Singha1

11/21/2022, 7:51 PM

it is returning "permissionship": "PERMISSIONSHIP_HAS_PERMISSION",

Singha1

11/21/2022, 7:53 PM

that should not be the case

Joey

11/21/2022, 8:05 PM

what are you passing in for the user's IP?

Joey

11/21/2022, 8:05 PM

and how did you write the relationship

Joey

11/21/2022, 8:05 PM

I'd need to see the schema

Singha1

11/21/2022, 8:21 PM

definition user {} caveat ip_allowlist(cidr string, user_ip ipaddress) { user_ip.in_cidr(cidr) } definition resource { relation viewer: user | user with ip_allowlist permission view = viewer }

Singha1

11/21/2022, 8:21 PM

Copy code

{
  "updates": [
    {
      "operation": "OPERATION_TOUCH",
      "relationship": {
        "resource": {
          "objectType": "resource",
          "objectId": "topsecret1"
        },
        "relation": "viewer",
        "subject": {
          "object": {
            "objectType": "user",
            "objectId": "Romil"
          }
        },
        "OptionalCaveat": {
          "CaveatName": "ip_allowlist",
          "Context": {
            "cidr": "1.2.3.0"
          }
        }
      }
    }
  ]
}

Singha1

11/21/2022, 8:21 PM

Checking permissions like this

Singha1

11/21/2022, 8:22 PM

Copy code

{
  "consistency": {
    "minimizeLatency": true
  },
  "resource": {
    "objectType": "resource",
    "objectId": "topsecret1"
  },
  "permission": "view",
  "subject": {
    "object": {
      "objectType": "user",
      "objectId": "Romil"
    }
  },
  "Context": {
    "cidr": "7.2.3.0"
  }
}

Joey

11/21/2022, 8:22 PM

I think your

OptionalCaveat

needs to be

optional_caveat

Joey

11/21/2022, 8:22 PM

otherwise, it is writing the relationship without a caveat

Singha1

11/21/2022, 8:22 PM

Joey

11/21/2022, 8:22 PM

change your schema

Joey

11/21/2022, 8:22 PM

change this

Joey

11/21/2022, 8:23 PM

relation viewer: user | user with ip_allowlist

Joey

11/21/2022, 8:23 PM

Joey

11/21/2022, 8:23 PM

relation viewer: user with ip_allowlist

Joey

11/21/2022, 8:23 PM

to make the caveat required

Joey

11/21/2022, 8:23 PM

then try writing the relationship

Joey

11/21/2022, 8:23 PM

if it doesn't see the caveat, it'll then fail

Previous Next