https://authzed.com logo
Title
d

dsieczko

02/13/2023, 10:31 AM
Hey @DharsanB - why can’t you use a UUID? SpiceDB needs some unique ID for the resource you’d like to check access too - in your case resource. To ensure uniqueness and security, a UUID is recommended as best practice.
d

DharsanB

02/15/2023, 9:31 AM
We've UUID for individual objects but since we're evaluating against the request path and if the user has access, sometimes path elements might repeat. We're using the ext-authz https://www.getambassador.io/docs/edge-stack/latest/topics/running/services/ext-authz
d

dsieczko

02/20/2023, 9:48 PM
Hey @DharsanB - I'm sorry for missing your message
Can you give me an example of the request path? I'm tagging @vroldanbet here as well
d

DharsanB

02/20/2023, 11:10 PM
So, in the current Authorization system, we’ll compare if the user has access to /orgs/{orgId}/app/{appId}
Hierarchy is the same like directory
Org owner is like directory owner
App owner is like file owner
d

dsieczko

02/21/2023, 12:30 AM
Thanks! And is there any reason you can’t take the id from your request path in your application to make a check request call to SpiceDB? Eg you can first make sure that the caller has access to orgid and then that they have access to appid (you can make these calls synchronously since SpiceDB is a GRPC api)
d

DharsanB

02/21/2023, 4:16 AM
Some people are given access to app directly instead of org and the app name is unique in an org but not across orgs
d

dsieczko

02/21/2023, 10:26 AM
Cool - you can handle all of this in your SpiceDB Schema Design
is the app uuid always unique?
d

DharsanB

02/21/2023, 12:45 PM
Currently it is not But we're going to make it because if the old one gets deleted and new app is created with the same name, sometimes the older values are populated before GC kicks in.
d

dsieczko

02/21/2023, 12:47 PM
You can always combine UUIDs to get a unique value in SpiceDB - eg orguuid:appuuid
v

vroldanbet

02/23/2023, 11:18 AM
sorry to miss this y'all. I'm not sure I'm having all the context. It appears that we want to perform a
Check
request over a
resource
whose identifier is obtained from the end-user web request path. I'm not sure to see where the problem is. It's mentioned users may have access to either org or app, and that seems like something that could (and probably should) be modelled explicitly in the schema. Could you guys help me understand the problem? 🙏🏻
d

dsieczko

02/25/2023, 3:30 PM
Thanks @vroldanbet - @DharsanB let us know if there is anything we can clarify
d

DharsanB

03/01/2023, 7:36 AM
Sure Will try it out and let you know Thanks @dsieczko @vroldanbet
d

dsieczko

03/01/2023, 9:47 AM
Sure thing!