https://authzed.com logo
Join Discord
Powered by
I am using Appsflyer's pronto library on top of th...
# spicedb
j
I am using Appsflyer's pronto library on top of the Java client. If that answers the question. There may be issues with the preconditions array. But I assume they would fail validation at the server. The server logs show no such failure, and when those validations fail I get a nice exception from the client.
j
can you print out the proto being sent for delete?
j
Yes, apologies for not getting it in sooner, just learning discord!
Copy code
{:optional-preconditions [{:filter {:optional-relation "accesses",
                                    :optional-resource-id "site1",
                                    :optional-subject-filter {:optional-relation nil,
                                                              :optional-subject-id "site_user",
                                                              :subject-type "user"},
                                    :resource-type "site"},
                           :operation :OPERATION_MUST_MATCH}],
 :relationship-filter {:optional-relation "accesses",
                       :optional-resource-id "site1",
                       :optional-subject-filter {:optional-relation nil,
                                                 :optional-subject-id "site_user",
                                                 :subject-type "user"},
                       :resource-type "site"}}
j
and this succeeds despite the relationship not existing?
j
Yes
I wonder if the 
optional-relation
key of the 
optional-subject-filter
as 
nil
is an issue.
j
try setting it to empty string
it should be fine though
what datastore type are you using, btw?
j
Postgres
It will not accept an empty string, schema violation, for 
optional_relation
in the 
optional_subject_filter
j
ok
I'll run some additional tests
j
Good suggestion, though.
j
@john.conti just tested the above request against SpiceDB running with Postgres and it worked as expected
I wonder if something is filtering the preconditions between your call and the API
can you try making the request directly with a grpc-curl call?
j
Will do.
Running this multiple times gets the same response, deletedAt and a new token: ``` grpcurl -vv -plaintext \ -rpc-header "authorization: Bearer xxxxxxxxxxxxxxx" \ -d '{"optional_preconditions": [{"filter": {"optional_relation": "accesses", "optional_resource_id": "site1", "optional_subject_filter": {"optional_subject_id": "site_user", "subject_type": "user"}, "resource_type": "site"}, "operation": 2}], "relationship_filter": {"optional_relation": "accesses", "optional_resource_id": "site1", "optional_subject_filter": {"optional_subject_id": "site_user", "subject_type": "user"}, "resource_type": "site"}}' \ localhost:50051 \ "authzed.api.v1.PermissionsService/DeleteRelationships"
Copy code
Resolved method descriptor:
rpc DeleteRelationships ( .authzed.api.v1.DeleteRelationshipsRequest ) returns ( .authzed.api.v1.DeleteRelationshipsResponse ) {
  option (.google.api.http) = { post:"/v1/relationships/delete" body:"*"  };
}

Request metadata to send:
authorization: Bearer J3HjJD0ZICO3CgZ0Do9aA802

Response headers received:
content-type: application/grpc
io.spicedb.respmeta.requestid: f96a0da419bcef1a2b814672bd6f1f07

Estimated response size: 12 bytes

Response contents:
{
  "deletedAt": {
    "token": "GgQKAjcw"
  }
}

Response trailers received:
io.spicedb.respmeta.cachedoperationscount: 0
io.spicedb.respmeta.dispatchedoperationscount: 2
Sent 1 request and received 1 response
j
can you paste the command?
(make sure to remove any tokens)
j
Didn't "save" the message.
j
ah
I see it now
sorry
j
np! appreciate the help
Just in case that helps
schema
j
yeah, was just about to ask 🙂
okay
j
Finally I am being helpful 🙂
j
so I ran it against an in-memory datastore
with no relationships
Copy code
Response trailers received:
io.spicedb.respmeta.cachedoperationscount: 0
io.spicedb.respmeta.dispatchedoperationscount: 2
Sent 1 request and received 0 responses
ERROR:
  Code: FailedPrecondition
  Message: failed precondition: unable to satisfy write precondition `operation:OPERATION_MUST_MATCH  filter:{resource_type:"site"  optional_resource_id:"site1"  optional_relation:"accesses"  optional_subject_filter:{subject_type:"user"  optional_subject_id:"site_user"}}`
I'm going to try Postgres now
same error (which is a good thing) against Postgres
what version of SpiceDB are you running?
can you also run 
zed permission check site:site1 accesses user:site_user
and let me know what it says?
j
Looks like 1.7.1: fine-grained-authorization-spicedb-1 | {"level":"warn","version":"1.7.1","time":"2022-07-08T00:33:12Z","message":"not running a released version of SpiceDB"}
j
can you try upgrading to latest?
I just tried adding the relationship, then tried the delete (which worked)
then tried the delete again (which raised the expected error)
maybe there was something wrong in the older SpiceDB
j
Returns 
false
Sounds like it.
j
SpiceDB 1.8.0 completely redesigned the datastore interface
so its certainly possible it fixed something in this area
j
Thank you for the help! We will get upgraded, and test again. Much appreciated.
j
anytime
let me know if it does fix it for you
if not, we'll continue investigating
j
I have confirmed that 1.8 fixes this issue, and we are planning our upgrade to 1.9. Really appreciate the help. I had no idea I wasn't up to date. This was actually a local issue caused by me not pulling on the docker images I used for local development.
j
great
the warning should have said it was not up to date
but maybe it was missed amongst the other log messages
zed
also says so on API calls
2 Views
PreviousNext
Powered by