Thinking about what's the idiomatic way to do a `d...
# spicedb
Thinking about what's the idiomatic way to do a
of a subject, say,
with the least possible api requests. Say, an employee quits and I want to delete all of their access data stored in SpiceDB. When I understand the
structure right, it's not possible to tell it "delete every relationship you can find that has user:user1 inside", so only make one call. Is that right, or am I missing something? Having to define a
in the request limits it a bit for that case, though i could imagine a potential impact on performance if not set.
note: as of now I just have looked at , so maybe that's simply the wrong place / endpoint?
you're correct in that it you need to set the resource_type
that is a carryover from the zanzibar paper and the way they layout the primary key on the spanner instances
you'll notice that all operations require a resource_type to be set
resource_type:*/any is not an option i guess? 😉
and thanks for the fast answer!
one way to do it atomically would be to create a single relation within the user, say
that points to itself, and that have all of your permissions computations require active users
then it would be a single relationship atomic delete to remove that relationship
then you can clean the user up at your leisure
that'd be a good idea, sure, but would still lead to a lot of stale relations until cleanup happens in whatever manner.
yeah it's possible, depending on the permissions model
i am thinking of a large schema where there could also be some prefixed subschemas, say services on a cloud platform. I see that iterating through all the relations will be costly, e.g. assuming
or a similar approach would be possible, but then again the way it would work now, if I understand it right, would be: 1) Know all the Resources and possible relationships of the subject beforehand 2) call LookupResources for that specific User on all of them 3) make a bunch of DeleteRelationshipRequests Also sounds costly to me, and also complicated, so thought there might be a nicer way to achieve this 🙂
@dguhr84 yeah the workflow is annoying, for sure. Would you mind opening an issue to keep track of this and describe your use-case and what the desirable behaviour should be?
but most likely not before next week, sry. I have to make up my mind to write a proper proposal, also it touches a few existing ones like (ex: would be nice to say
"delete resource * relation <relation> for subject <subject>
and also
delete relation * on resource <resource> for subject <subject>
) - and also - i think it needs some well formed thoughts before creating another issue 🙂