https://authzed.com logo
Title
d

dguhr-rh

02/01/2023, 10:43 PM
Thinking about what's the idiomatic way to do a
delete
of a subject, say,
user:user1
with the least possible api requests. Say, an employee quits and I want to delete all of their access data stored in SpiceDB. When I understand the
DeleteRelationshipRequest
structure right, it's not possible to tell it "delete every relationship you can find that has user:user1 inside", so only make one call. Is that right, or am I missing something? Having to define a
resource_type
in the request limits it a bit for that case, though i could imagine a potential impact on performance if not set.
note: as of now I just have looked at https://www.postman.com/authzed/workspace/spicedb/request/21043612-ce65f566-7c8b-4aeb-956c-02779d2900ed , so maybe that's simply the wrong place / endpoint?
j

Jake

02/01/2023, 10:55 PM
you're correct in that it you need to set the resource_type
that is a carryover from the zanzibar paper and the way they layout the primary key on the spanner instances
you'll notice that all operations require a resource_type to be set
d

dguhr-rh

02/01/2023, 10:56 PM
resource_type:*/any is not an option i guess? 😉
and thanks for the fast answer!
j

Jake

02/01/2023, 10:57 PM
one way to do it atomically would be to create a single relation within the user, say
active
that points to itself, and that have all of your permissions computations require active users
then it would be a single relationship atomic delete to remove that relationship
then you can clean the user up at your leisure
d

dguhr-rh

02/01/2023, 10:58 PM
that'd be a good idea, sure, but would still lead to a lot of stale relations until cleanup happens in whatever manner.
j

Jake

02/01/2023, 10:58 PM
yeah it's possible, depending on the permissions model
d

dguhr-rh

02/01/2023, 11:03 PM
i am thinking of a large schema where there could also be some prefixed subschemas, say services on a cloud platform. I see that iterating through all the relations will be costly, e.g. assuming
resource_type:*
or a similar approach would be possible, but then again the way it would work now, if I understand it right, would be: 1) Know all the Objects and possible relationships of the subject beforehand 2) call LookupResources for that specific User on all of them 3) make a bunch of DeleteRelationshipRequests Also sounds costly to me, and also complicated, so thought there might be a nicer way to achieve this 🙂
v

vroldanbet

02/02/2023, 9:19 AM
@dguhr-rh yeah the workflow is annoying, for sure. Would you mind opening an issue to keep track of this and describe your use-case and what the desirable behaviour should be?
d

dguhr-rh

02/02/2023, 10:11 AM
Sure!
but most likely not before next week, sry. I have to make up my mind to write a proper proposal, also it touches a few existing ones like https://github.com/authzed/spicedb/issues/346 (ex: would be nice to say
"delete resource * relation <relation> for subject <subject>
and also
delete relation * on resource <resource> for subject <subject>
) - and also https://github.com/authzed/spicedb/issues/887 - i think it needs some well formed thoughts before creating another issue 🙂