I figured that this is usable directly as a service, we only bring our own authentication layer (password + 2FA) and use SpiceDB to check the permissions?<p>However, the docs mention that we're required to have an authzed account, but this is not required when hosting it ourselves?<p>Would be nice to have a step-by-step guide for the self-hosting so that it's apparent how the flow goes.<p>PS: Would also like to use it in Cloudflare Workers, but they don't support gRPC yet (Only REST and HTTP/1.1).
Looks good.<p>1. How does this compare with Ory Keto?<p><pre><code> https://www.ory.sh/keto/docs/
</code></pre>
2. Can it be nativity (I can integrate in Postgres SQL) integrated with Row Level Security in Postgres?<p>3. Any interest in supporting TiDB as a backend?<p>Edit: Number questions.
Could this product also do row level securiry? For instance by finding all user roles and then generating where clauses to inject to the query automatically?
How can one maintain in sync the application database with the permissions database?. Suppose there is a project which uses a postgres database and a spiceDB (backed by a separate database).<p>This project is a "github clone" and a user has decided to delete a repository with all of its related objects. In postgres these related objects delete automatically in cascade. How can I do the same in SpiceDB to avoid leaving garbage tuples behind?
What is your business model?<p>I'm really excited about this: building a scalable Access Control is a foundational challenge of cloud-scale systems, and I'm happy to see a new contender.<p>Is this like an "Open-Source Core" model, where the basic core platform is open-source but all the extra features to make it usable (to put it bluntly) in a given org are what you're selling?<p>(in my org it takes ~2s to lookup group membership (& thus permission) of a user on a cache miss, which is just shocking. I'd love it if we migrated to SpiceDB, but of course at our scale that won't happen anytime soon)
Apache 2.0 license.<p>Call me pessimistic, but I wonder how soon we will see blog post in the style "It was wonderful journey" that will announce AGPL v3 or other style of "shared source" license.
Awesome to see an open source project in this space! However, the docs say the service is production ready and v1, yet there seem to be no docs on how to run the open source version (except for a brief homebrew example in the README). So how do I run this? For example with a DB?<p>I also noticed that the v0 API is deprecated and discouraged but the v1 API is „work in progress“. To me, that doesn’t inspire confidence that the product is not going to have some breaking changes in API and design?<p>Is there something I am missing?
Oops; I posted on this earlier (by a few hours) submission [1] on SpiceDB story.<p>Reposting (with small edits) here for visibility by founders:<p>Super cool. I’ve been looking at other groups trying to implement such systems, many of which appear very nascent or otherwise missing key features.<p>This looks like it solves a lot of problems for me, a solo developer, trying to build a enterprise-targeted product as a side project (whether that's a fool’s errand is another discussion). In particular, correct and efficient implementation of PER OBJECT permission seems like a hard problem, and many other (external) solutions merely control by object type. Building per object control into the product (integrated in the code itself, with no external gateway/proxy/layer) requires really detailed thought and planning related to ACL, group membership, etc., and any change in plans later means changes to potentially deeply integrated code.<p>QUESTION: Do you see greater value for (a) large teams with huge and complex products involving many moving pieces, that need a consistent AuthZ layer, or (b) small teams that need robust AuthZ and don’t have the time and human power to develop it themselves? (Or c, false dilemma, equally great for both )<p>[1] <a href="https://news.ycombinator.com/item?id=28707072" rel="nofollow">https://news.ycombinator.com/item?id=28707072</a>
How is permission introspection on something like this? So not just "does user x have this permission on object y" but "why does user x have permission this permission on user y?". For something like cascading folder permission insight and etc...
I've done some thinking in the ACL space: <a href="https://github.com/theronic/eacl" rel="nofollow">https://github.com/theronic/eacl</a><p>(totally beta software - don't use in production)