-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intersection Arrow Proposal #597
Comments
I'm here for the syntax bike-shedding:
|
Additionally: |
|
Another idea: |
We would be highly interested in this feature as we have a scenario like this in our business requirements for authorization to specific kinds of resources that have dependencies. What would be the current workaround for this problem? For the concrete example you gave, can such a check be achieved in spicedb at all, or would the client have to make sure to run all necessary checks as separate calls and evaluate the "intersection" constraint itself? |
@phdowling Right now you'd need to issue the checks yourself and compute it client side. Intersection currently only operates over distinct relations, not within one. |
Suggestions are welcome for the operator to use, as it is the main blocker for adoption |
Thanks for the quick response @josephschorr. Since you ask: to me, |
I would be happy to test any draft implementation even if the syntax is still subject to change. |
Another possible syntax:
The |
@josephschorr is this on your development roadmap now by any chance? We're still quite eager to push down more of our authz logic into SpiceDB, our current approach of issuing multiple calls to SpiceDB and computing the intersection ourselves feels like an anti-pattern. Coupled with caveated relationships (great stuff by the way) this would get us to a point of handling basically all authz business logic declaratively and efficiently through SpiceDB! My 2 cents on notation: |
We have a similar use case to what is described in the issue with one exception. Here's a simplified version of our schema:
Not only would we want to make sure that a user has permission to manage all the
I'll also add on to the bike shedding over the operator. My first choice would be for which I bet will have better results than But if an arrow of some sort is necessary, I prefer |
We are evaluating SpiceDB as a centralized system for storing our old permission data for a decentralized world. For us, this intersection proposal would be crucial as our use case needs this 'can see all documents in a folder to access the folder' permission. Are there any news (e.g. a roadmap) for this feature? |
Hey @tafli It is possible to enforce that a user has a given permission on all of an object's parents with SpiceDB today. You'll need to use an "and tree" to do this. In this example that continues the original example, a user can be required to have view permissions on all roles to view the document. |
Thank you, @corkrean We also had a similar idea using a linked list, which also did work. But the same problem here with building and managing the relations. |
@tafli Initial implementation has now been issued |
After further internal discussion, with the introduction of |
Background
SpiceDB’s schema contains the arrow operation (known as
TupleToUserset
in Zanzibar), which performs a “walk” of relationships found on a relation (forming thetupleset
), and for each object found, walks to the referenced relation or permission of a given name on the object (via thecomputed_userset
).If any results are found by this walk, then the overall arrow operation resolves to
HAS_PERMISSION
for a Check:Example Resolution Steps
parent
, and find all subjects for the current document objectviewer
relation and perform a check for the user on that relation, with the folder as the new objectview
the documentProblem
There are scenarios in which a permission might be defined not based on whether the user has permission on any of the parent object(s)'s relations, but rather all of the parent objects's relations.
As a concrete example, imagine a schema with permission roles, each of which is important when taken together:
If the writer of the schema wishes to define
view
such that users can only view a document if they are aviewer
on all roles found inrequirement
, they currently cannot do so easily.Proposal
Introduce a new operator into the SpiceDB schema known as the “intersection arrow” or “and arrow”.
The arrow would act the same as the existing arrow operator, but for every subject found, would require that all checks succeed for the operator to return
HAS_PERMISSION
Example:
In the above example, if there are multiple roles within
requirement
on the document, then the user would be required to haveviewer
on all found roles for them to haveview
permissionChanges
TupleToUserset
in the core namespace API protosThe text was updated successfully, but these errors were encountered: