Office Hours: ACL-aware filtering in your own database with SpiceDB and AuthZed Materialize

Unveiling wildcard permissions in SpiceDB

/assets/team/joey-schorr.jpg
December 23, 2021|5 min read
SpiceDB is the open source, Zanzibar-inspired permissions system. Want to learn how you can contribute or get started? Join the Discord

We’re excited to announce today the release of wildcard support in SpiceDB! Wildcard support allows relations to include all subjects of a particular type, allowing a relation or permission to become public for checks.

To add wildcard support in your schema, simply declare that your relation supports it:

definition resource {
   relation viewer: user | user:* # <-- `user:*` adds wildcard support for type `user`
   permission view = viewer
}

A relationship can now be written between your resource and all users (since we specified type user in user:*), making that relation and any permissions that use it public for any user:

> zed relationship create resource:someresource viewer user:*
aHR0cHM6Ly9iaXQubHkvM0piZ1hUMg==

> zed permission check resource:someresource view user:somegal
true

Why the need for public support?

Computations of permissions in SpiceDB are all about relationships: how a resource and subject are related to one another indicates the permissions for that subject. For example, the ability to view a document may be because a user is a viewer, because a user is a writer of the document, or even because a user is an admin of the folder which contains the document.

In Check it out: How permissions are answered in Authzed we discussed how these relationships are defined, and how permissions are computed as a result. Defining permissions by a combination of schema and these relationships can be incredibly powerful but has one major capability missing: the ability to indicate that a permission is granted not to a particular subject but to all subjects... i.e. that access for the permission is public.

Without direct support for public, developers must either create a specialized allusers type or create a relationship between a resource and every user, which simply does not scale.

A public (de)tour of Zanzibar

SpiceDB is heavily inspired by the Zanzibar system by Google, providing us some guidance on possible solutions to these kinds of problems.

A key source of information is the USENIX Zanzibar presentation, which briefly mentions how Zanzibar supports public access:

View of the system defined value from the Zanzibar presentation

In the above screenshot, we can see that public support was considered useful enough to have a special system defined value created to represent that a resource had a public relationship between itself and all users.

Given the importance of this capability, and the numerous use cases for it, public became issue #1 for implementation in SpiceDB.

However, given SpiceDB’s evolution of Zanzibar, particularly with support for schema, we wondered: could we provide public support but with more power?

Developing the proposal: Wild ideas and wildcards

Being open source, it is critical that all development of major features of SpiceDB take place publicly, ensuring feedback and buy in from all stakeholders of the project.

The Authzed team began the development process for public support by creating a github issue, outlining the background. We then followed up the background with a proposal summary, listing a set of various proposals and their pros and cons, to ensure a spirited discussion.

The major proposals considered were:

  • Documentation and guidance for manual use only
  • A special system defined value (like Zanzibar)
  • Wildcard support

It was this last proposal, wildcard support, that appeared to cause the most (positive) discussion.

Wildcard support had a number of positive features:

  • Type safety
  • The ability to limit public access to a particular type of subject
  • No need to add a new keyword
  • Symmetry for possible support for wildcard resources in the future

After much back and forth, community members agreed that wildcard support would be most applicable, and we began implementation which culminated in PR #336

With the merge of PR #336 yesterday, we are happy to announce that wildcard support is now available in SpiceDB and Authzed.com!

Wildcard in practice

A working example of wildcard support can be found here, where a document supports being made publicly viewable:

Want to get started testing your permissions system with public support? Start modeling your permissions system in our playground, or join us in our Discord server to get answers to your questions. Authzed engineers and a community of users are there to discuss and help.

Additional Reading

If you’re interested in learning more about Authorization and Google Zanzibar, we recommend reading the following posts:

Get started for free

Join 1000s of companies doing authorization the right way.