Hey HN! I'm one of folks that helped launch this project.
You can go directly to the annotated paper here[0].
It's got all kinds of goodies like the ability to direct link from anywhere and generate OpenGraph previews (e.g. [1]).
Coolest of all, it's entirely open source[2] built on NextJS.
I was wondering if you have other examples of a database like SpiceDB, specifically where the database is a "database system" for a very specific use-case (in this case application permissions). Square[1] have described something somewhat similar for accounting.
> SpiceDB is an open source database system for managing security-critical application permissions inspired by Google's Zanzibar paper
Super interesting! It's interesting to think about what Zanzibar ultimately is: an efficient way to store and traverse graphs to determine an outcome, in this case typically authorization, but ever since I learned of this I keep seeing more and more problems that could be solved this way.
Also I can't decide whether this paper is more interesting or the tech they built to annotate it, I keep thinking of papers I'd want to do this with now.
>an efficient way to store and traverse graphs to determine an outcome ... I keep seeing more and more problems that could be solved this way
Yes! The team over at Authzed keeps seeing this, too!
While SpiceDB is fully embracing its primary use-case for permissions, you could also use it to solve many other problems that boil down to "the existence of a path on a graph". For example, we've considered using it for storing update graphs for automating software updates for our Kubernetes operator[0]
The wonderful Kris Nova has also made this realization and considered SpiceDB for dependency resolution for an init system designed to replace systemd[1].
Speaking specifically to efficiency, a lot of the efficiency required for practical use cases is hand-waved away as implementation details of the caching layer in Zanzibar paper.
A real go at this with postgres and logical decode could be made though.
I was just skimming over real quick but don’t have to either to read the whole thing. One thing that stood out, is a group can hold another group. So I guess if you had a role like tech support, web development, financial, etc you could make a CEO role that includes the permissions within those other roles? If I am reading that right, never thought about that though. Kinda neat as role reusability.
Yep! Groups can be easily nested under one another by simply creating a relationship between the group's members and the members of another group.
In SpiceDB [0] schema this can be represented like so:
definition group {
relation member: user | group#member
}
Here `member` allows a relationship to itself, which allows writing a relationship saying that every member of one group is a member of the containing group.
I threw together an example in our playground [1], if you'd like to try it out!
No idea why you are getting downvoted. You are correct. The white paper section 2.3. Talks exactly about that. The namespace configuration pseudo-code show exactly how this is written. Took me over a year to arrive at this conclusion.
Yes. The white paper is very brief on details. Some systems in the wild totally miss the fact that a relation userset operation isn’t “include only”. That also applies to tupleset_to_userset.
I was in that misled camp for quite some time. One day it clicked, but only after realizing that the namespace config pseudo-code from section 2.3. IS what defines relationships: https://gruchalski.com/posts/2022-10-22-zanzibar-with-prolog.... Not the fancy object#relation@subject. That’s just the query language.
I'm actually at the opposite end of the spectrum. I can see how this was beneficial to them when reviewing the document, and if the title was... check out how we collaborate on published journals in our own Google Docs like interface, it would have made sense. But, based on the title I thought they were going to actually explain Google Zanzibar in layman's terms. Not just have a bunch of comments that required you scroll around to figure out what they were even talking about.
I understand your perspective. We've tried to keep this project neutral, so we were hesitant to link to our "What is Zanzibar" blog post[0]. We hoped that the abstract might be good enough for most folks.
One of the features our project supports that could not be done in Google Docs is having multiple sets of annotations. We could add another that assumes you know nothing about the space and helps provide a lot more context.
Hi! I'm one of the contributors to the project and this was an idea that bounced around during development. Can you create an issue in the repo and add any details you have in mind for how this would work?
You can go directly to the annotated paper here[0]. It's got all kinds of goodies like the ability to direct link from anywhere and generate OpenGraph previews (e.g. [1]).
Coolest of all, it's entirely open source[2] built on NextJS.
[0]: https://zanzibar.tech
[1]: https://zanzibar.tech/2R50fs-R_n:1i:3u
[2]: https://github.com/authzed/zanzibar-annotated