Request for separate Channel object type in spiceDB

[arvindh123]

Case 1

Both Group and Channels share the same implementation pkg/groups/groups.go , internal/groups/service.go and same data structure in database.

Groups are present in users service. Their tables are present in users db

When you try to create group with parent as channel, It wont happens, it get fails.
Example :

curl --location 'http://localhost/groups' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <TOKEN>' \
--data '{
    "name": "group_2",
    "parent_id": "<channel_id>"
}'

User service logs

{"time":"2024-06-13T16:43:33.794708577Z","level":"WARN","msg":"Create group failed to complete successfully","duration":"66.09458ms","group":{"id":"","name":""},"error":{"error":"failed to create entity in the db","message":"failed to create entity"}}

Logs from users service database

2024-06-13 22:12:38 2024-06-13 16:42:38.177 UTC [572] ERROR:  insert or update on table "groups" violates foreign key constraint "groups_parent_id_fkey"
2024-06-13 22:12:38 2024-06-13 16:42:38.177 UTC [572] DETAIL:  Key (parent_id)=(c3dd1853-3e3b-4df0-91d9-856c0275b8ef) is not present in table "groups".
2024-06-13 22:12:38 2024-06-13 16:42:38.177 UTC [572] STATEMENT:  INSERT INTO groups (name, description, id, domain_id, parent_id, metadata, created_at, status)
2024-06-13 22:12:38                     VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
2024-06-13 22:12:38                     RETURNING id, name, description, domain_id, COALESCE(parent_id, '') AS parent_id, metadata, created_at, status;

It fails due to Foreign key reference in groups table, which requires parent_id that need to present in same table.

FOREIGN KEY (parent_id) REFERENCES groups (id) ON DELETE SET NULL

Here the channel_id is not present in same table ,they are present in table in database to which things service is connected .

On any entity creation, there will two major action take place, Adding policy to spice db and adding entity to database

First the adding of policy take place , then followed by adding of entity to database.

So here in this case, If we the policy is added to spicedb, then it is remove , because if entity is failed to add to database ,the service will rollback the policy,

{"time":"2024-06-13T16:43:33.775167675Z","level":"INFO","msg":"Add 3 policies completed successfully","duration":"20.830036ms"}
{"time":"2024-06-13T16:43:33.793919829Z","level":"INFO","msg":"Delete 3 policies completed successfully","duration":"13.840573ms"}

Suggestion:

We should detect before adding to repo, during policy addition we should have this check.
So that we can avoid adding and rollback of policy.

To do this like of check in policy, we need some kind distinguish between channels and groups in spicedb

The one of way i see is by having different object type for channels and groups

Case 2

Things could not be related to groups as subscribe or publish relation , Instead group related to thing as publish or subscribe relation.
In present case , thing is object and group becomes subject.
If we have publish and subscribe relation, then it would be like

• Group (Subject) have publish relation with Thing (object)
• Group (Subject) have subscribe relation with Thing (object)

Because of this we could not check thing have pub/sub permission on group(channel)
Instead we check like following :
Does Group have publish permission to thing
Does Group have subscribe permission to thing ?

This concept will work, it is one of the practical way of implementation, but it doesn't match with theoretical architecture of MG

In theoretical architecture, channels are communication conduit, to which thing are connect.
So according to this theory, permission check should be like:
Does the thing have pub/sub permission on group(channel)

If we want to have the same the theoretical architecture in MG
Then we need to change thing to subject and group to object.

Relation will be like
Thing``(subject) have publish relation with Group``(object)
Thing(subject)havesubscriberelation withGroup``(object)`

Then we can have permission check will be like
Does Thing have publish permission to Group
Does Thing have subscribe permission to Group ?

To have this change we need to separate group and channels in spicedb

Because Group and channel share the type in spicedb , Type name is Group

Group/Channel can have group (like connect) relation with thing object
Existing:

if we didn't separate the group and channels and tries to implement,
then Group want to be object, then thing should have pub/sub relation with Group/Channel

This leads to thing having pub/sub relation to user group, since we could not distinguish between channels and groups in spicedb

So If we have separate object type channel, the have dedicated pub/sub relation for thing to channel.
This will avoid the thing having pub/sub relation with groups

[arvindh123]

There is a pre check condition in spiceDB for adding policy for group with parent group, This pre check condition check for parent ID is present in same domain to which group is present.

This precondition check helps to solve partially the Case 1 .
While adding channel policy to spiceDB , we can add prefix channel to uuid of channel, So in spiceDB policy will be added for channel_<uuid>.

Then While adding group with channel ID's UUID as parent , It will fails in pre condition check, since channel ID's UUID will be member of domain,
Instead while adding group with channel ID as parent with channel_ prefix, channel_<uuid>, Then we will get into the same problem.
The above mentioned solution will partially solve the case 1