https://authzed.com logo
Title
j

Joey

11/21/2022, 6:31 PM
you need to shut down the other SpiceDB running on the machine first
s

Singha1

11/21/2022, 6:48 PM
bcb84b1ed9d2 docker.repo1.uhc.com/authzed/spicedb:latest "spicedb serve" 10 days ago Up 6 seconds 0.0.0.0:8443->8443/tcp, 0.0.0.0:9090->9090/tcp, 0.0.0.0:50051->50051/tcp
If I shut down the server, it won't even recognize the spicedb command
j

Joey

11/21/2022, 6:49 PM
what do you mean?
s

Singha1

11/21/2022, 6:50 PM
I mean if I stop the docker container
j

Joey

11/21/2022, 6:51 PM
you should stop and remove the container
and replace it with the one with the updated argument(s)
s

Singha1

11/21/2022, 6:52 PM
got it
In docker compose below are the details I have
authorization-spicedb: container_name: authorization-spicedb image: docker.repo1.uhc.com/authzed/spicedb:latest command: "serve" ports: - "8443:8443" - "50051:50051" - "9090:9090" environment: SPICEDB_LOG_LEVEL: "debug" SPICEDB_HTTP_ENABLED: "true" SPICEDB_GRPC_SHUTDOWN_GRACE_PERIOD: "5s" SPICEDB_GRPC_PRESHARED_KEY: "localsecret" SPICEDB_DATASTORE_ENGINE: "postgres" SPICEDB_DATASTORE_CONN_URI: "postgres://spicedb_user:spicedb_password@authorization-spicedb-database:5432/spicedb?sslmode=disable" depends_on: authorization-spicedb-database: condition: service_healthy networks: - authorization-network
Where those arguments should be added?
I think I got it
SPICEDB_EXPERIMENT_ENABLE_CAVEATS=true spicedb serve …
similar to others
j

Joey

11/21/2022, 6:59 PM
yes
s

Singha1

11/21/2022, 7:00 PM
Added environment like this
environment: SPICEDB_EXPERIMENT_ENABLE_CAVEATS: true spicedb serve … SPICEDB_LOG_LEVEL: "debug" SPICEDB_HTTP_ENABLED: "true" SPICEDB_GRPC_SHUTDOWN_GRACE_PERIOD: "5s" SPICEDB_GRPC_PRESHARED_KEY: "localsecret" SPICEDB_DATASTORE_ENGINE: "postgres" SPICEDB_DATASTORE_CONN_URI:
j

Joey

11/21/2022, 7:05 PM
just
true
on the enable caveats
SPICEDB_EXPERIMENT_ENABLE_CAVEATS: true
s

Singha1

11/21/2022, 7:07 PM
oh sure , that was type mistake
thanks
Got it working 🙂
able to create policy like this
definition user {} definition attribute { relation haver: user } caveat only_on_tuesday(day_of_week string) { day_of_week == "tuesday" } definition document { relation shared_with: user | user with only_on_tuesday relation required_admin_attrs: attribute permission admin = shared_with & required_admin_attrs->haver }
j

Joey

11/21/2022, 7:13 PM
no need for the attribute stuff but yeah 🙂
s

Singha1

11/21/2022, 7:14 PM
Do you have Rest API examples for Caveats
j

Joey

11/21/2022, 7:15 PM
I do not
but it should be a fairly straightforward conversion from gRPC
s

Singha1

11/21/2022, 7:47 PM
Yes it worked,
Thanks a ton !!!!
"OptionalCaveat": { "CaveatName": "ip_allowlist", "Context": { "cidr": "1.2.3.0" } } }
I wrote this in caveat
and Passing this check request
, "Context": { "cidr": "7.2.3.0" }
it is returning "permissionship": "PERMISSIONSHIP_HAS_PERMISSION",
that should not be the case
j

Joey

11/21/2022, 8:05 PM
what are you passing in for the user's IP?
and how did you write the relationship
I'd need to see the schema
s

Singha1

11/21/2022, 8:21 PM
definition user {} caveat ip_allowlist(cidr string, user_ip ipaddress) { user_ip.in_cidr(cidr) } definition resource { relation viewer: user | user with ip_allowlist permission view = viewer }
{
  "updates": [
    {
      "operation": "OPERATION_TOUCH",
      "relationship": {
        "resource": {
          "objectType": "resource",
          "objectId": "topsecret1"
        },
        "relation": "viewer",
        "subject": {
          "object": {
            "objectType": "user",
            "objectId": "Romil"
          }
        },
        "OptionalCaveat": {
          "CaveatName": "ip_allowlist",
          "Context": {
            "cidr": "1.2.3.0"
          }
        }
      }
    }
  ]
}
Checking permissions like this
{
  "consistency": {
    "minimizeLatency": true
  },
  "resource": {
    "objectType": "resource",
    "objectId": "topsecret1"
  },
  "permission": "view",
  "subject": {
    "object": {
      "objectType": "user",
      "objectId": "Romil"
    }
  },
  "Context": {
    "cidr": "7.2.3.0"
  }
}
j

Joey

11/21/2022, 8:22 PM
I think your
OptionalCaveat
needs to be
optional_caveat
otherwise, it is writing the relationship without a caveat
s

Singha1

11/21/2022, 8:22 PM
oo
j

Joey

11/21/2022, 8:22 PM
change your schema
change this
relation viewer: user | user with ip_allowlist
to
relation viewer: user with ip_allowlist
to make the caveat required
then try writing the relationship
if it doesn't see the caveat, it'll then fail