https://authzed.com logo
Title
d

dsieczko

11/29/2022, 2:49 PM
Hi! I believe you're looking for the Lookup API - have a look at this https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.LookupSubjects
g

gvf

11/29/2022, 3:09 PM
I think that's to check for a specific permission, I want to be able to provide a resource and a user, and get back all the permissions the user has on the provided resource
p

Perseus

11/29/2022, 3:27 PM
sorry for jumping on to this, but I'm looking for a way to do this as well! If there isn't a major tech constraint to do this, I'd be happy to have a go at having a PR open to do this as well (+ having a way to distinguish between direct permissions and propagated (?) permissions through some other relation)
g

gvf

11/29/2022, 3:27 PM
it's surprising it doesn't provide it already..
j

Joey

11/29/2022, 3:31 PM
its not provided because its not really doable in a performant manner: to find all permissions, you'd have to walk backward to every permission and path in the entire schema
if the schema is small and the data is minimal, it might work
but in any real scale, it would take seconds or more
d

dsieczko

11/29/2022, 3:33 PM
sorry @gvf you're right
@Perseus ^^
j

Joey

11/29/2022, 3:33 PM
note that ^ is a structural, reflective walk
not a data-driven one
@gvf @Perseus are your permission systems RBAC-like or...?
p

Perseus

11/29/2022, 3:40 PM
Yes, RBAC-like. There are multiple possible 'accessors' of any given resource, (users, organizations etc), I need to be able to fetch all the permissions that an accessor has on a resource (direct and indirect) in order to have different states on the UI and expose different actions to the users
j

Joey

11/29/2022, 3:40 PM
the recommendation right now is to issue a
check
for each permission, in parallel
p

Perseus

11/29/2022, 3:41 PM
is there a way to get "only" a particular subject type's permissions?
j

Joey

11/29/2022, 3:41 PM
that's what the ^ reflection issue is about
being able to say "which permissions can this relation or subject type have"
although now that I think about it, we could in theory just combine the two IF you're asking for a particular subject, not a subject type overall
p

Perseus

11/29/2022, 3:42 PM
not exactly that for example, if a user has permissions on resource X, and they are also part of an org that has permissions on resource X, can I retrieve only the permissions that the user has, while not retrieving what they have through the org?
j

Joey

11/29/2022, 3:43 PM
you'd issue a check on the overall permission and the org-only one
and see if they differ
SpiceDB doesn't really "know" what an "org-only" permission is
p

Perseus

11/29/2022, 3:44 PM
gotcha
j

Joey

11/29/2022, 3:44 PM
or, if you're using an RBAC-like schema, you could just see if they have any of the roles
and if not, know its through some other means
is the intention to show that a user has an inherited permission?
"user X can access this because they are an admin of org O"?
p

Perseus

11/29/2022, 3:45 PM
not exactly, that part is for our discovery layer. being able to display content that's been "shared" with just you vs your org
trying to slowly migrate our existing system over
so that data gets synced to ES to help with full-text search etc
j

Joey

11/29/2022, 3:46 PM
ah. in that case, you'd want to either define a permission that is just the user and check it
or check the just the org permission
@Perseus have you read the tiger cache proposal? the intention is to have it produce roaring bitmaps that ES can use
p

Perseus

11/29/2022, 3:46 PM
yeah thats what I ended up doing.
reader
vs
org_reader
yup! i had a look at that! unfortunately, as it currently stands, we wouldn't be able to make use of that since we use mongo and the ids are 96bits vs the 64 that roaring bitmaps support
j

Joey

11/29/2022, 3:47 PM
aha
yeah, I'd give a lot for a 128-bit standard roaring bitmap format
p

Perseus

11/29/2022, 3:50 PM
unfortunately my schema seems to be getting more complicated as i have to deal with more accessor types with the same edge cases as others haha
j

Joey

11/29/2022, 3:53 PM
speaking hypothetically: if we added an API that was a check, but returned on which relationship(s)/path(s) the check found the subject had permission, would that solve your problem?>
(just thinking out loud)
p

Perseus

11/29/2022, 4:17 PM
hmm, wouldn't I have to make a check for every permission either way and then read the path that it went through? unless there was a way to tell the
check
to go through a particular path? sorry not completely able to visualize how it'd work out
j

Joey

11/29/2022, 4:18 PM
in theory, we could turn off short circuiting for it
but it would be slower
p

Perseus

11/29/2022, 4:19 PM
yeah thats what I was thinking. I'm assuming that parallel checks would be a lot faster
j

Joey

11/29/2022, 4:19 PM
likely, yes
that's why we recommend it right now
but we already dispatch each branch of a check in parallel
so in theory it could be done in "one" check
p

Perseus

11/29/2022, 4:20 PM
right, thats what I was thinking. and from what I read, the results of each of those branches get cached as well, future requests would be a lot faster?
j

Joey

11/29/2022, 4:21 PM
yep
p

Perseus

11/29/2022, 4:21 PM
i can also maintain a secondary cache which gets invalidated based on updates being emitted from the watch service, that should help
j

Joey

11/29/2022, 4:21 PM
just be careful with maintaining a secondary cache: handling arrows is non-trivial
p

Perseus

11/29/2022, 4:22 PM
gah yeah. i'm assuming the duration of the cache in spicedb is configurable? i vaguely recall reading 5 seconds as the ttl somewhere but I feel like that would be too low?
j

Joey

11/29/2022, 4:23 PM
its 5s for the quantization window
if you use a zedtoken from a previous check for a next check, it'll use the cache
so long as the entry isn't evicted
p

Perseus

11/29/2022, 4:24 PM
ah yeah, i need to figure out the correct place to store the zedtoken as well - do you usually suggest storing it along with the resource metadata? or is something else idiomatic there
j

Joey

11/29/2022, 4:27 PM
yes
g

gvf

11/29/2022, 5:05 PM
In our case it's not RBAC, all users have the same role, but we apply rules to some of them. Our app serves content, to when the user lands on a given page, we want to request to the auth system: what grants does this user have for this doc? (it could be: "title", "audio", "pdf", "agenda", "summary" and so on
j

Joey

11/29/2022, 5:06 PM
are these grants represented by `relation`s?
g

gvf

11/29/2022, 5:07 PM
mhh...I'm very new to spicedb...I don't really know, but whatever you suggest is the best option...
(I just started with it today)
I would say so, is there any other option?
j

Joey

11/29/2022, 5:08 PM
normally, no, but sometimes its a combination of relations
but anyway, if they are each represented by a single relation, you could use
ReadRelationships
to find them
g

gvf

11/29/2022, 5:12 PM
ok, I'll try that tomorrow, thxs
Leaving this here in case anyone is looking for the same, I ran this:
zed relationship read tutorial/document:firstdoc --subject-filter tutorial/user:sarah
and it worked fine
p

Perseus

12/02/2022, 3:43 PM
thank you! i was able to get the behavior i wanted by readrelationships + keeping a map of relationship to permission in code (would not need this once the reflection API comes out)
d

dsieczko

12/02/2022, 3:52 PM
that's awesome! thanks for the update