Skip to main content

spicedb

document:specificdocument#reader@user:specificuser
|_______________________| |____| |_______________|
resource relation subject
  • API - authzed.api.v1
  • PermissionsService
    • CheckPermission
      • resource,permission,subject
      • consistency
    • ExpandPermissionTree
    • LookupResources
    • {Read,Write,Delete}Relationships
  • SchemaService
  • WatchService
# Docker
docker run --rm -it \
-p 50051:50051 \
--name spicedb authzed/spicedb serve \
--grpc-preshared-key "PSK"

# macOS Brew
brew install spicedb
# --grpc-preshared-key "PSK"
SPICEDB_GRPC_PRESHARED_KEY=PSK spicedb serve

# zed 作为 spicedb 客户端
brew install zed

zed context set local localhost:50051 "PSK" --insecure
zed schema read --insecure
definition user {}

definition organization {
relation administrator: user
permission view_all_documents = administrator
}

definition team {
relation member: user
}

definition document {
relation owner_org: organization

relation reader: user | team#member
relation writer: user

permission view = reader + owner_org->view_all_documents
permission edit = view + writer

relation peek: user | anonymoususer:*
relation retrive: service#token
}

definition anonymoususer {}

definition token {}
definition service {
token: token
}