-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zed --explain flag uses cached results #2068
Comments
This is working as intended. Can you expand on what you're trying to do? |
This is for a spicedb running locally, so I can confirm there's no writes in-between one zed --explain and the next. On our production system, we'd like to be able to understand why a particular permissioning decision was made - and I think this is probably a common usecase. In some cases, we'd like to be able to display the explanation to an expert end user. If a permissioning decision is 'incorrect' for us, it's usually the case that a user has something setup incorrectly - and we'd like to be able to identify the issue by looking at how spicedb followed relationships to make the permissioning decision. If an explain request doesn't evaluate the whole graph, but makes use of previously cached results, then it becomes harder to understand the cause of a permissioning decision. The current behaviour of --explain is great for understanding where time is spent in an actual permission check - but in some cases it would be helpful to force a full evaluation without using any caches. |
Explain won't evaluate the whole graph even if caching is not used; if a permission is granted via two paths, you may only get one or the other back, depending on which was found first. It sounds like you want more of an "audit" ability, but that has significant performance implications since it would have to both bypass the cache and bypass short circuiting. How often would you expect this feature to be used? |
@winstaan74 Checking in on this |
What platforms are affected?
macos, others
What architectures are affected?
others
What SpiceDB version are you using?
v1.35.3
Steps to Reproduce
In Zed, the --explain flag makes use of cached results, even with the
--consistency-full
flag set.This makes it hard to get a full trace of how a permission decision was calculated.
For example, running the same permission check twice gives differed answers each time -
I see the same behaviour when using the grpc api from a java client with the 'debug' flag set. My desired behaviour is an explanation of the permission checking path that can be displayed to a user.
Expected Result
A full permissions check trace each time.
Actual Result
The explanation for the second permission check is minimal.
The text was updated successfully, but these errors were encountered: