https://authzed.com logo
Join Discord
Powered by
Hi! I believe you're looking for the Lookup API - ...
# spicedb
d
Hi! I believe you're looking for the Lookup API - have a look at this https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.LookupSubjects
g
I think that's to check for a specific permission, I want to be able to provide a resource and a user, and get back all the permissions the user has on the provided resource
p
sorry for jumping on to this, but I'm looking for a way to do this as well! If there isn't a major tech constraint to do this, I'd be happy to have a go at having a PR open to do this as well (+ having a way to distinguish between direct permissions and propagated (?) permissions through some other relation)
g
it's surprising it doesn't provide it already..
j
its not provided because its not really doable in a performant manner: to find all permissions, you'd have to walk backward to every permission and path in the entire schema
if the schema is small and the data is minimal, it might work
but in any real scale, it would take seconds or more
d
sorry @gvf you're right
@perseus29 ^^
j
note that ^ is a structural, reflective walk
not a data-driven one
@gvf @perseus29 are your permission systems RBAC-like or...?
p
Yes, RBAC-like. There are multiple possible 'accessors' of any given resource, (users, organizations etc), I need to be able to fetch all the permissions that an accessor has on a resource (direct and indirect) in order to have different states on the UI and expose different actions to the users
j
the recommendation right now is to issue a 
check
for each permission, in parallel
p
is there a way to get "only" a particular subject type's permissions?
j
that's what the ^ reflection issue is about
being able to say "which permissions can this relation or subject type have"
although now that I think about it, we could in theory just combine the two IF you're asking for a particular subject, not a subject type overall
p
not exactly that for example, if a user has permissions on resource X, and they are also part of an org that has permissions on resource X, can I retrieve only the permissions that the user has, while not retrieving what they have through the org?
j
you'd issue a check on the overall permission and the org-only one
and see if they differ
SpiceDB doesn't really "know" what an "org-only" permission is
p
gotcha
j
or, if you're using an RBAC-like schema, you could just see if they have any of the roles
and if not, know its through some other means
is the intention to show that a user has an inherited permission?
"user X can access this because they are an admin of org O"?
p
not exactly, that part is for our discovery layer. being able to display content that's been "shared" with just you vs your org
trying to slowly migrate our existing system over
so that data gets synced to ES to help with full-text search etc
j
ah. in that case, you'd want to either define a permission that is just the user and check it
or check the just the org permission
@perseus29 have you read the tiger cache proposal? the intention is to have it produce roaring bitmaps that ES can use
p
yeah thats what I ended up doing. 
reader
vs 
org_reader
yup! i had a look at that! unfortunately, as it currently stands, we wouldn't be able to make use of that since we use mongo and the ids are 96bits vs the 64 that roaring bitmaps support
j
aha
yeah, I'd give a lot for a 128-bit standard roaring bitmap format
p
unfortunately my schema seems to be getting more complicated as i have to deal with more accessor types with the same edge cases as others haha
j
speaking hypothetically: if we added an API that was a check, but returned on which relationship(s)/path(s) the check found the subject had permission, would that solve your problem?>
(just thinking out loud)
p
hmm, wouldn't I have to make a check for every permission either way and then read the path that it went through? unless there was a way to tell the 
check
to go through a particular path? sorry not completely able to visualize how it'd work out
j
in theory, we could turn off short circuiting for it
but it would be slower
p
yeah thats what I was thinking. I'm assuming that parallel checks would be a lot faster
j
likely, yes
that's why we recommend it right now
but we already dispatch each branch of a check in parallel
so in theory it could be done in "one" check
p
right, thats what I was thinking. and from what I read, the results of each of those branches get cached as well, future requests would be a lot faster?
j
yep
p
i can also maintain a secondary cache which gets invalidated based on updates being emitted from the watch service, that should help
j
just be careful with maintaining a secondary cache: handling arrows is non-trivial
p
gah yeah. i'm assuming the duration of the cache in spicedb is configurable? i vaguely recall reading 5 seconds as the ttl somewhere but I feel like that would be too low?
j
its 5s for the quantization window
if you use a zedtoken from a previous check for a next check, it'll use the cache
so long as the entry isn't evicted
p
ah yeah, i need to figure out the correct place to store the zedtoken as well - do you usually suggest storing it along with the resource metadata? or is something else idiomatic there
j
yes
g
In our case it's not RBAC, all users have the same role, but we apply rules to some of them. Our app serves content, to when the user lands on a given page, we want to request to the auth system: what grants does this user have for this doc? (it could be: "title", "audio", "pdf", "agenda", "summary" and so on
j
are these grants represented by `relation`s?
g
mhh...I'm very new to spicedb...I don't really know, but whatever you suggest is the best option...
(I just started with it today)
I would say so, is there any other option?
j
normally, no, but sometimes its a combination of relations
but anyway, if they are each represented by a single relation, you could use 
ReadRelationships
to find them
g
ok, I'll try that tomorrow, thxs
Leaving this here in case anyone is looking for the same, I ran this:
Copy code
zed relationship read tutorial/document:firstdoc --subject-filter tutorial/user:sarah
and it worked fine
p
thank you! i was able to get the behavior i wanted by readrelationships + keeping a map of relationship to permission in code (would not need this once the reflection API comes out)
d
that's awesome! thanks for the update
4 Views
PreviousNext
Powered by