Protecting Your First App
Introduction​
This guide walks through the steps required to deeply integrate an application with Authzed or SpiceDB. Not all software requires this level of integration, but it is preferable for greenfield applications or applications that are central in an architecture with multiple services.
Instead of introducing an unfamiliar example app and altering various locations in its code, this guide is written such that each step is a standalone snippet of code that demonstrates an integration point and finding where those points exist in your codebase is an exercise left to the reader.
Prerequisites​
One of:
- An Authzed permission system and associated API Token with
adminaccess - A running instance of SpiceDB with the configured preshared key for SpiceDB
Installation​
The first step to integrating any software is ensuring you have an API client.
Each tool is installed with its ecosystem's package management tools:
- Shell
- Go
- Python
- Java
- Ruby
- Node (JS/TS)
brew install authzed/tap/zed
zed context set blog grpc.authzed.com:443 t_your_token_here_1234567deadbeef
mkdir first_app && cd first_app
go mod init first_app
go get github.com/authzed/authzed-go
go mod download github.com/authzed/grpcutil
go mod tidy
pip install authzed
// build.gradle
dependencies {
implementation "com.authzed.api:authzed:0.2.0"
}
gem install authzed
npm i @authzed/authzed-node
Defining and Applying a Schema​
Regardless of whether or not you have a preexisting schema written, integrating a new application will typically require you add new definitions to the Schema.
As a quick recap, Schemas define the objects, their relations, and their checkable permissions that will be available to be used with the permission system.
We'll be using the following blog example throughout this guide:
definition blog/user {}
definition blog/post {
relation reader: blog/user
relation writer: blog/user
permission read = reader + writer
permission write = writer
}
This example defines two types of objects that will be used in the permissions system: user and post.
Each post can have two kinds of relations to users: reader and writer.
Each post can have two permissions checked: read and write.
The read permission unions together both readers and writers, so that any writer is implicitly granted read, as well.
Feel free to start with design to modify and test your own experiments in the playground.
With a schema designed, we can now move on using our client to to apply that schema to the permission system.
- Shell
- Go
- Python
- Java
- Ruby
- Node (JS/TS)
zed schema write <(cat << EOF
definition blog/user {}
definition blog/post {
relation reader: blog/user
relation writer: blog/user
permission read = reader + writer
permission write = writer
}
EOF
)
package main
import (
"context"
"log"
pb "github.com/authzed/authzed-go/proto/authzed/api/v1"
"github.com/authzed/authzed-go/v1"
"github.com/authzed/grpcutil"
)
const schema = `definition blog/user {}
definition blog/post {
relation reader: blog/user
relation writer: blog/user
permission read = reader + writer
permission write = writer
}`
func main() {
client, err := authzed.NewClient(
"grpc.authzed.com:443",
grpcutil.WithBearerToken("t_your_token_here_1234567deadbeef"),
grpcutil.WithSystemCerts(grpcutil.VerifyCA),
)
if err != nil {
log.Fatalf("unable to initialize client: %s", err)
}
request := &pb.WriteSchemaRequest{Schema: schema}
_, err = client.WriteSchema(context.Background(), request)
if err != nil {
log.Fatalf("failed to write schema: %s", err)
}
}
from authzed.api.v1 import Client, WriteSchemaRequest
from grpcutil import bearer_token_credentials
SCHEMA = """definition blog/user {}
definition blog/post {
relation reader: blog/user
relation writer: blog/user
permission read = reader + writer
permission write = writer
}"""
client = Client(
"grpc.authzed.com:443",
bearer_token_credentials("t_your_token_here_1234567deadbeef"),bearer_token_credentials("t_your_token_here_1234567deadbeef"),
)
resp = client.WriteSchema(WriteSchemaRequest(schema=SCHEMA))
import com.authzed.api.v1.SchemaServiceGrpc;
import com.authzed.api.v1.SchemaServiceOuterClass.*;
import com.authzed.grpcutil.BearerToken;
import io.grpc.*;
public class App {
public static void main(String[] args) {
ManagedChannel channel = ManagedChannelBuilder
.forTarget("grpc.authzed.com:443")
.useTransportSecurity()
.build();
BearerToken bearerToken = new BearerToken("t_your_token_here_1234567deadbeef");
SchemaServiceGrpc.SchemaServiceBlockingStub schemaService = SchemaServiceGrpc.newBlockingStub(channel)
.withCallCredentials(bearerToken);
String schema = """
definition blog/user {}
definition blog/post {
relation reader: blog/user
relation writer: blog/user
permission read = reader + writer
permission write = writer
}
""";
WriteSchemaRequest request = WriteSchemaRequest
.newBuilder()
.setSchema(schema)
.build();
WriteSchemaResponse response;
try {
response = schemaService.writeSchema(request);
} catch (Exception e) {
// Uh oh!
}
}
}
require 'authzed'
schema = <<~SCHEMA
definition blog/user {}
definition blog/post {
relation reader: blog/user
relation writer: blog/user
permission read = reader + writer
permission write = writer
}
SCHEMA
client = Authzed::Api::V1::Client.new(
target: 'grpc.authzed.com:443',
interceptors: [Authzed::GrpcUtil::BearerToken.new(token: 't_your_token_here_1234567deadbeef')],
)
resp = client.schema_service.write_schema(
Authzed::Api::V1::WriteSchemaRequest.new(schema: schema)
)
import { v1 } from '@authzed/authzed-node';
const { promises: client } = v1.NewClient(
't_your_token_here_1234567deadbeef',
);
const schema = `definition blog/user {}
definition blog/post {
relation reader: blog/user
relation writer: blog/user
permission read = reader + writer
permission write = writer
}`;
const schemaRequest = v1.WriteSchemaRequest.create({
schema: schema,
});
const schemaResponse = await client.writeSchema(schemaRequest)
console.log(schemaResponse)
note
Similar to applying schema changes for relational databases, all changes to a schema must be backwards compatible.
In production environments where relations change, you will likely want to write data migrations and apply those changes using a schema migration toolchain.
Storing Relationships​
After a permission system has its schema applied, it is ready to have its relationships be created, touched, or deleted. Relationships are live instances of relations between objects. Because the relationships stored in the system can change at runtime, this is a powerful primitive for dynamically granting or revoking access to the resources you've modeled. When applications modify or create rows in their database, they will also typically create or update relationships.
info
Writing relationships returns a ZedToken which is critical to ensuring performance and consistency.
In the following example, we'll be creating two relationships: one making Emilia a writer of the first post and another making Beatrice a reader of the first post. You can also touch and delete relationships, but those are not as immediately useful for an empty permission system.
- Shell
- Go
- Python
- Java
- Ruby
- Node (JS/TS)
zed relationship create blog/post:1 writer blog/user:emilia
zed relationship create blog/post:1 reader blog/user:beatrice
package main
import (
"context"
"fmt"
"log"
pb "github.com/authzed/authzed-go/proto/authzed/api/v1"
"github.com/authzed/authzed-go/v1"
"github.com/authzed/grpcutil"
)
func main() {
client, err := authzed.NewClient(
"grpc.authzed.com:443",
grpcutil.WithBearerToken("t_your_token_here_1234567deadbeef"),
grpcutil.WithSystemCerts(grpcutil.VerifyCA),
)
if err != nil {
log.Fatalf("unable to initialize client: %s", err)
}
request := &pb.WriteRelationshipsRequest{Updates: []*pb.RelationshipUpdate{
{ // Emilia is a Writer on Post 1
Operation: pb.RelationshipUpdate_OPERATION_CREATE,
Relationship: &pb.Relationship{
Resource: &pb.ObjectReference{
ObjectType: "blog/post",
ObjectId: "1",
},
Relation: "writer",
Subject: &pb.SubjectReference{
Object: &pb.ObjectReference{
ObjectType: "blog/user",
ObjectId: "emilia",
},
},
},
},
{ // Beatrice is a Reader on Post 1
Operation: pb.RelationshipUpdate_OPERATION_CREATE,
Relationship: &pb.Relationship{
Resource: &pb.ObjectReference{
ObjectType: "blog/post",
ObjectId: "1",
},
Relation: "reader",
Subject: &pb.SubjectReference{
Object: &pb.ObjectReference{
ObjectType: "blog/user",
ObjectId: "beatrice",
},
},
},
},
}}
resp, err := client.WriteRelationships(context.Background(), request)
if err != nil {
log.Fatalf("failed to write relations: %s", err)
}
fmt.Println(resp.WrittenAt.Token)
}
from authzed.api.v1 import (
Client,
ObjectReference,
Relationship,
RelationshipUpdate,
SubjectReference,
WriteRelationshipsRequest,
)
from grpcutil import bearer_token_credentials
client = Client(
"grpc.authzed.com:443",
bearer_token_credentials("t_your_token_here_1234567deadbeef"),
)
resp = client.WriteRelationships(
WriteRelationshipsRequest(
updates=[
# Emilia is a Writer on Post 1
RelationshipUpdate(
operation=RelationshipUpdate.Operation.OPERATION_CREATE,
relationship=Relationship(
resource=ObjectReference(object_type="blog/post", object_id="1"),
relation="writer",
subject=SubjectReference(
object=ObjectReference(
object_type="blog/user",
object_id="emilia",
)
),
),
),
# Beatrice is a Reader on Post 1
RelationshipUpdate(
operation=RelationshipUpdate.Operation.OPERATION_CREATE,
relationship=Relationship(
resource=ObjectReference(object_type="blog/post", object_id="1"),
relation="reader",
subject=SubjectReference(
object=ObjectReference(
object_type="blog/user",
object_id="beatrice",
)
),
),
),
]
)
)
print(resp.written_at.token)
import com.authzed.api.v1.PermissionService;
import com.authzed.api.v1.PermissionsServiceGrpc;
import com.authzed.grpcutil.BearerToken;
import com.authzed.api.v1.Core.*;
import io.grpc.*;
public class App {
public static void main(String[] args) {
ManagedChannel channel = ManagedChannelBuilder
.forTarget("grpc.authzed.com:443")
.useTransportSecurity()
.build();
BearerToken bearerToken = new BearerToken("t_your_token_here_1234567deadbeef");
PermissionsServiceGrpc.PermissionsServiceBlockingStub permissionsService = PermissionsServiceGrpc.newBlockingStub(channel)
.withCallCredentials(bearerToken);
PermissionService.WriteRelationshipsRequest request = PermissionService.WriteRelationshipsRequest.newBuilder()
.addUpdates(
RelationshipUpdate.newBuilder()
.setOperation(RelationshipUpdate.Operation.OPERATION_CREATE)
.setRelationship(
Relationship.newBuilder()
.setResource(
ObjectReference.newBuilder()
.setObjectType("blog/post")
.setObjectId("1")
.build())
.setRelation("writer")
.setSubject(
SubjectReference.newBuilder()
.setObject(
ObjectReference.newBuilder()
.setObjectType("blog/user")
.setObjectId("emilia")
.build())
.build())
.build())
.build())
.build();
PermissionService.WriteRelationshipsResponse response;
try {
response = permissionsService.writeRelationships(request);
String zedToken = response.getWrittenAt().getToken();
} catch (Exception e) {
// Uh oh!
}
}
}
require 'authzed'
client = Authzed::Api::V1::Client.new(
target: 'grpc.authzed.com:443',
interceptors: [Authzed::GrpcUtil::BearerToken.new(token: 't_your_token_here_1234567deadbeef')],
)
resp = client.permissions_service.write_relationships(
Authzed::Api::V1::WriteRelationshipsRequest.new(
updates: [
# Emilia is a Writer on Post 1
Authzed::Api::V1::RelationshipUpdate.new(
operation: Authzed::Api::V1::RelationshipUpdate::Operation::OPERATION_CREATE,
relationship: Authzed::Api::V1::Relationship.new(
resource: Authzed::Api::V1::ObjectReference.new(object_type: 'blog/post', object_id: '1'),
relation: 'writer',
subject: Authzed::Api::V1::SubjectReference.new(
object: Authzed::Api::V1::ObjectReference.new(object_type: 'blog/user', object_id: 'emilia'),
),
),
),
# Beatrice is a Reader on Post 1
Authzed::Api::V1::RelationshipUpdate.new(
operation: Authzed::Api::V1::RelationshipUpdate::Operation::OPERATION_CREATE,
relationship: Authzed::Api::V1::Relationship.new(
resource: Authzed::Api::V1::ObjectReference.new(object_type: 'blog/post', object_id: '1'),
relation: 'reader',
subject: Authzed::Api::V1::SubjectReference.new(
object: Authzed::Api::V1::ObjectReference.new(object_type: 'blog/user', object_id: 'beatrice'),
),
),
),
]
)
)
puts resp.written_at.token
import { v1 } from '@authzed/authzed-node';
const { promises: client } = v1.NewClient(
't_your_token_here_1234567deadbeef',
);
const resource = v1.ObjectReference.create({
objectType: 'blog/post',
objectId: '1',
});
const emilia = v1.ObjectReference.create({
objectType: 'blog/user',
objectId: 'emilia',
});
const beatrice = v1.ObjectReference.create({
objectType: 'blog/user',
objectId: 'beatrice',
});
const writeRequest = v1.WriteRelationshipsRequest.create({
updates: [
// Emilia is a Writer on Post 1
v1.RelationshipUpdate.create({
relationship: v1.Relationship.create({
resource: resource,
relation: 'writer',
subject: v1.SubjectReference.create({
object: emilia,
}),
}),
operation: v1.RelationshipUpdate_Operation.CREATE,
}),
// Beatrice is a Reader on Post 1
v1.RelationshipUpdate.create({
relationship: v1.Relationship.create({
resource: resource,
relation: 'reader',
subject: v1.SubjectReference.create({
object: beatrice,
}),
}),
operation: v1.RelationshipUpdate_Operation.CREATE,
}),
],
});
const response = await client.writeRelationships(writeRequest)
console.log(response)
Checking Permissions​
Permissions Systems that have stored relationships are capable of performing permission checks. Checks do not only test for the existence of direct relationships, but will also compute and traverse transitive relationships. For example, in our example schema, writers have both write and read, so there's no need to create a read relationship for a subject that is already a writer.
danger
If you are performing a CheckPermission immediately after a WriteSchema or WriteRelationships call, make sure to supply a ZedToken from the WriteRelationships response or set for full consistency. Otherwise, the CheckPermission executing will likely use the cached schema/relationships, and not return what you expect!
The following examples demonstrate exactly that:
- Shell
- Go
- Python
- Java
- Ruby
- Node (JS/TS)
zed permission check blog/post:1 read blog/user:emilia --revision "zedtokenfromwriterel" # true
zed permission check blog/post:1 write blog/user:emilia --revision "zedtokenfromwriterel" # true
zed permission check blog/post:1 read blog/user:beatrice --revision "zedtokenfromwriterel" # true
zed permission check blog/post:1 write blog/user:beatrice --revision "zedtokenfromwriterel" # false
package main
import (
"context"
"log"
pb "github.com/authzed/authzed-go/proto/authzed/api/v1"
"github.com/authzed/authzed-go/v1"
"github.com/authzed/grpcutil"
)
func main() {
client, err := authzed.NewClient(
"grpc.authzed.com:443",
grpcutil.WithBearerToken("t_your_token_here_1234567deadbeef"),
grpcutil.WithSystemCerts(grpcutil.VerifyCA),
)
if err != nil {
log.Fatalf("unable to initialize client: %s", err)
}
ctx := context.Background()
emilia := &pb.SubjectReference{Object: &pb.ObjectReference{
ObjectType: "blog/user",
ObjectId: "emilia",
}}
beatrice := &pb.SubjectReference{Object: &pb.ObjectReference{
ObjectType: "blog/user",
ObjectId: "beatrice",
}}
firstPost := &pb.ObjectReference{
ObjectType: "blog/post",
ObjectId: "1",
}
resp, err := client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstPost,
Permission: "read",
Subject: emilia,
})
if err != nil {
log.Fatalf("failed to check permission: %s", err)
}
// resp.Permissionship == pb.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION
resp, err = client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstPost,
Permission: "write",
Subject: emilia,
})
if err != nil {
log.Fatalf("failed to check permission: %s", err)
}
// resp.Permissionship == pb.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION
resp, err = client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstPost,
Permission: "read",
Subject: beatrice,
})
if err != nil {
log.Fatalf("failed to check permission: %s", err)
}
// resp.Permissionship == pb.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION
resp, err = client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstPost,
Permission: "write",
Subject: beatrice,
})
if err != nil {
log.Fatalf("failed to check permission: %s", err)
}
// resp.Permissionship == pb.CheckPermissionResponse_PERMISSIONSHIP_NO_PERMISSION
}
from authzed.api.v1 import (
CheckPermissionRequest,
CheckPermissionResponse,
Client,
ObjectReference,
SubjectReference,
)
from grpcutil import bearer_token_credentials
client = Client(
"grpc.authzed.com:443",
bearer_token_credentials("t_your_token_here_1234567deadbeef"),
)
emilia = SubjectReference(
object=ObjectReference(
object_type="blog/user",
object_id="emilia",
)
)
beatrice = SubjectReference(
object=ObjectReference(
object_type="blog/user",
object_id="beatrice",
)
)
post_one = ObjectReference(object_type="blog/post", object_id="1")
resp = client.CheckPermission(
CheckPermissionRequest(
resource=post_one,
permission="read",
subject=emilia,
)
)
assert resp.permissionship == CheckPermissionResponse.PERMISSIONSHIP_HAS_PERMISSION
resp = client.CheckPermission(
CheckPermissionRequest(
resource=post_one,
permission="write",
subject=emilia,
)
)
assert resp.permissionship == CheckPermissionResponse.PERMISSIONSHIP_HAS_PERMISSION
resp = client.CheckPermission(
CheckPermissionRequest(
resource=post_one,
permission="read",
subject=beatrice,
)
)
assert resp.permissionship == CheckPermissionResponse.PERMISSIONSHIP_HAS_PERMISSION
resp = client.CheckPermission(
CheckPermissionRequest(
resource=post_one,
permission="write",
subject=beatrice,
)
)
assert resp.permissionship == CheckPermissionResponse.PERMISSIONSHIP_NO_PERMISSION
import com.authzed.api.v1.PermissionService;
import com.authzed.api.v1.PermissionsServiceGrpc;
import com.authzed.grpcutil.BearerToken;
import com.authzed.api.v1.Core.*;
import io.grpc.*;
public class App {
public static void main(String[] args) {
ManagedChannel channel = ManagedChannelBuilder
.forTarget("grpc.authzed.com:443")
.useTransportSecurity()
.build();
BearerToken bearerToken = new BearerToken("t_your_token_here_1234567deadbeef");
PermissionsServiceGrpc.PermissionsServiceBlockingStub permissionsService = PermissionsServiceGrpc.newBlockingStub(channel)
.withCallCredentials(bearerToken);
ZedToken zedToken = ZedToken.newBuilder()
.setToken("zed_token_value")
.build();
PermissionService.CheckPermissionRequest request = PermissionService.CheckPermissionRequest.newBuilder()
.setConsistency(
PermissionService.Consistency.newBuilder()
.setAtLeastAsFresh(zedToken)
.build())
.setResource(
ObjectReference.newBuilder()
.setObjectType("blog/post")
.setObjectId("1")
.build())
.setSubject(
SubjectReference.newBuilder()
.setObject(
ObjectReference.newBuilder()
.setObjectType("blog/user")
.setObjectId("emilia")
.build())
.build())
.setPermission("read")
.build();
PermissionService.CheckPermissionResponse response;
try {
response = permissionsService.checkPermission(request);
response.getPermissionship();
} catch (Exception e) {
// Uh oh!
}
}
}
require 'authzed'
emilia = Authzed::Api::V1::SubjectReference.new(object: Authzed::Api::V1::ObjectReference.new(
object_type: 'blog/user',
object_id: 'emilia',
))
beatrice = Authzed::Api::V1::SubjectReference.new(object: Authzed::Api::V1::ObjectReference.new(
object_type: 'blog/user',
object_id: 'beatrice',
))
first_post = Authzed::Api::V1::ObjectReference.new(object_type: 'blog/post', object_id: '1')
client = Authzed::Api::V1::Client.new(
target: 'grpc.authzed.com:443',
interceptors: [Authzed::GrpcUtil::BearerToken.new(token: 't_your_token_here_1234567deadbeef')],
)
resp = client.permissions_service.check_permission(Authzed::Api::V1::CheckPermissionRequest.new(
resource: first_post,
permission: 'read',
subject: emilia,
))
raise unless Authzed::Api::V1::CheckPermissionResponse::Permissionship.resolve(resp.permissionship) ==
Authzed::Api::V1::CheckPermissionResponse::Permissionship::PERMISSIONSHIP_HAS_PERMISSION
resp = client.permissions_service.check_permission(Authzed::Api::V1::CheckPermissionRequest.new(
resource: first_post,
permission: 'write',
subject: emilia,
))
raise unless Authzed::Api::V1::CheckPermissionResponse::Permissionship.resolve(resp.permissionship) ==
Authzed::Api::V1::CheckPermissionResponse::Permissionship::PERMISSIONSHIP_HAS_PERMISSION
resp = client.permissions_service.check_permission(Authzed::Api::V1::CheckPermissionRequest.new(
resource: first_post,
permission: 'read',
subject: beatrice,
))
raise unless Authzed::Api::V1::CheckPermissionResponse::Permissionship.resolve(resp.permissionship) ==
Authzed::Api::V1::CheckPermissionResponse::Permissionship::PERMISSIONSHIP_HAS_PERMISSION
resp = client.permissions_service.check_permission(Authzed::Api::V1::CheckPermissionRequest.new(
resource: first_post,
permission: 'write',
subject: beatrice,
))
raise unless Authzed::Api::V1::CheckPermissionResponse::Permissionship.resolve(resp.permissionship) ==
Authzed::Api::V1::CheckPermissionResponse::Permissionship::PERMISSIONSHIP_NO_PERMISSION
import { v1 } from '@authzed/authzed-node';
const { promises: client } = v1.NewClient(
't_your_token_here_1234567deadbeef',
);
const resource = v1.ObjectReference.create({
objectType: 'blog/post',
objectId: '1',
});
const emilia = v1.ObjectReference.create({
objectType: 'blog/user',
objectId: 'emilia',
});
const beatrice = v1.ObjectReference.create({
objectType: 'blog/user',
objectId: 'beatrice',
});
const emiliaCanRead = await client.checkPermission(v1.CheckPermissionRequest.create({
resource,
permission: 'read',
subject: v1.SubjectReference.create({
object: emilia,
}),
}));
console.log(emiliaCanRead.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION);
const emiliaCanWrite = await client.checkPermission(v1.CheckPermissionRequest.create({
resource,
permission: 'write',
subject: v1.SubjectReference.create({
object: emilia,
}),
}));
console.log(emiliaCanWrite.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION);
const beatriceCanRead = await client.checkPermission(v1.CheckPermissionRequest.create({
resource,
permission: 'read',
subject: v1.SubjectReference.create({
object: beatrice,
}),
}));
console.log(beatriceCanRead.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION);
const beatriceCanWrite = await client.checkPermission(v1.CheckPermissionRequest.create({
resource,
permission: 'write',
subject: v1.SubjectReference.create({
object: beatrice,
}),
}));
console.log(beatriceCanWrite.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION);
note
In addition to checking permissions, it is also possible to perform checks on relations to determine membership.
This goes against the best practice because computing permissions are far more flexible, but can be useful when used with discretion.