From 371d5444ffc14c68991e21782f5c30d292b96c94 Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Wed, 12 Nov 2025 14:56:09 +0100 Subject: [PATCH 01/14] feat: add broken sets service --- .../materialize/v0/brokensets_service.proto | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 authzed/api/materialize/v0/brokensets_service.proto diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokensets_service.proto new file mode 100644 index 0000000..3cf5b55 --- /dev/null +++ b/authzed/api/materialize/v0/brokensets_service.proto @@ -0,0 +1,47 @@ +syntax = "proto3"; +package authzed.api.materialize.v0; + +import "authzed/api/v1/core.proto"; + +option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0"; +option java_multiple_files = true; +option java_package = "com.authzed.api.materialize.v0"; + +service BrokenSetsService { + // ListBrokenSets returns all broken sets detected during + // the hydration process. + // + // Each broken set represents a circular dependency in the permission + // graph. The response includes the sets involved in each cycle, + // along with their associated resources. + rpc ListBrokenSets(ListBrokenSetsRequest) returns (stream ListBrokenSetsResponse) +} + +message ListBrokenSetsRequest { + // batch_size specifies the maximum number of broken sets to return in a single response. + // If set to zero, the server will use the default batch size. + uint32 batch_size = 1; + + // optional_at_revision defines the specific revision at which the broken sets should be evaluated. + // At this time, it is only compared against the revision of the provided backing store snapshot. + authzed.api.v1.ZedToken optional_at_revision = 2; +} + +message BrokenSet { + // resource_type is the type of the broken resource. + string resource_type = 1; + + // resource_id is the id of the broken resource. + string resource_id = 2; + + // permission is the broken permission set. + string permission = 3; +} + +message ListBrokenSetsResponse { + // broken_sets contains the list of broken sets found for the requested revision. + repeated BrokenSet broken_sets = 1; + + // read_at is the ZedToken at which the broken set applies. + authzed.api.v1.ZedToken revision = 2; +} From 2250e8c6918c8f4d9d74f866f0b2bedb6d97cf82 Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Wed, 12 Nov 2025 14:57:56 +0100 Subject: [PATCH 02/14] Fix syntax error --- authzed/api/materialize/v0/brokensets_service.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokensets_service.proto index 3cf5b55..fb0dac9 100644 --- a/authzed/api/materialize/v0/brokensets_service.proto +++ b/authzed/api/materialize/v0/brokensets_service.proto @@ -14,7 +14,7 @@ service BrokenSetsService { // Each broken set represents a circular dependency in the permission // graph. The response includes the sets involved in each cycle, // along with their associated resources. - rpc ListBrokenSets(ListBrokenSetsRequest) returns (stream ListBrokenSetsResponse) + rpc ListBrokenSets(ListBrokenSetsRequest) returns (stream ListBrokenSetsResponse) {} } message ListBrokenSetsRequest { From aa6c8530dc91a8993be7bb42f75bf1b2a3128df2 Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Wed, 12 Nov 2025 14:59:56 +0100 Subject: [PATCH 03/14] Fix format --- authzed/api/materialize/v0/brokensets_service.proto | 4 ---- 1 file changed, 4 deletions(-) diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokensets_service.proto index fb0dac9..47d164a 100644 --- a/authzed/api/materialize/v0/brokensets_service.proto +++ b/authzed/api/materialize/v0/brokensets_service.proto @@ -21,7 +21,6 @@ message ListBrokenSetsRequest { // batch_size specifies the maximum number of broken sets to return in a single response. // If set to zero, the server will use the default batch size. uint32 batch_size = 1; - // optional_at_revision defines the specific revision at which the broken sets should be evaluated. // At this time, it is only compared against the revision of the provided backing store snapshot. authzed.api.v1.ZedToken optional_at_revision = 2; @@ -30,10 +29,8 @@ message ListBrokenSetsRequest { message BrokenSet { // resource_type is the type of the broken resource. string resource_type = 1; - // resource_id is the id of the broken resource. string resource_id = 2; - // permission is the broken permission set. string permission = 3; } @@ -41,7 +38,6 @@ message BrokenSet { message ListBrokenSetsResponse { // broken_sets contains the list of broken sets found for the requested revision. repeated BrokenSet broken_sets = 1; - // read_at is the ZedToken at which the broken set applies. authzed.api.v1.ZedToken revision = 2; } From d710cc1fb30d192e7736972b57a8d9e58612e97a Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Wed, 12 Nov 2025 15:15:11 +0100 Subject: [PATCH 04/14] Rename entities --- authzed/api/materialize/v0/brokensets_service.proto | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokensets_service.proto index 47d164a..428cb01 100644 --- a/authzed/api/materialize/v0/brokensets_service.proto +++ b/authzed/api/materialize/v0/brokensets_service.proto @@ -8,16 +8,16 @@ option java_multiple_files = true; option java_package = "com.authzed.api.materialize.v0"; service BrokenSetsService { - // ListBrokenSets returns all broken sets detected during + // ReadBrokenSets returns all broken sets detected during // the hydration process. // // Each broken set represents a circular dependency in the permission // graph. The response includes the sets involved in each cycle, // along with their associated resources. - rpc ListBrokenSets(ListBrokenSetsRequest) returns (stream ListBrokenSetsResponse) {} + rpc ReadBrokenSets(ReadBrokenSetsRequest) returns (stream ReadBrokenSetsResponse) {} } -message ListBrokenSetsRequest { +message ReadBrokenSetsRequest { // batch_size specifies the maximum number of broken sets to return in a single response. // If set to zero, the server will use the default batch size. uint32 batch_size = 1; @@ -35,7 +35,7 @@ message BrokenSet { string permission = 3; } -message ListBrokenSetsResponse { +message ReadBrokenSetsResponse { // broken_sets contains the list of broken sets found for the requested revision. repeated BrokenSet broken_sets = 1; // read_at is the ZedToken at which the broken set applies. From ca83c6f6a95003c54facea1445fec60df175c5e8 Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Wed, 12 Nov 2025 15:32:22 +0100 Subject: [PATCH 05/14] Update authzed/api/materialize/v0/brokensets_service.proto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Víctor Roldán Betancort --- authzed/api/materialize/v0/brokensets_service.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokensets_service.proto index 428cb01..ba49fd6 100644 --- a/authzed/api/materialize/v0/brokensets_service.proto +++ b/authzed/api/materialize/v0/brokensets_service.proto @@ -31,8 +31,8 @@ message BrokenSet { string resource_type = 1; // resource_id is the id of the broken resource. string resource_id = 2; - // permission is the broken permission set. - string permission = 3; + // relation is the relation of this broken resource. + string relation = 3; } message ReadBrokenSetsResponse { From a5527a5b25b77606b2ee65d620a4b202675c26fb Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Thu, 13 Nov 2025 11:41:52 +0100 Subject: [PATCH 06/14] Update definition --- .../materialize/v0/brokensets_service.proto | 42 +++++++++---------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokensets_service.proto index ba49fd6..e10e8f1 100644 --- a/authzed/api/materialize/v0/brokensets_service.proto +++ b/authzed/api/materialize/v0/brokensets_service.proto @@ -7,37 +7,35 @@ option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize option java_multiple_files = true; option java_package = "com.authzed.api.materialize.v0"; -service BrokenSetsService { - // ReadBrokenSets returns all broken sets detected during +service BrokenPermissionsService { + // ReadBrokenWatchedPermissions returns all cycles detected during // the hydration process. // - // Each broken set represents a circular dependency in the permission - // graph. The response includes the sets involved in each cycle, - // along with their associated resources. - rpc ReadBrokenSets(ReadBrokenSetsRequest) returns (stream ReadBrokenSetsResponse) {} + // Each cycle a circular dependency in the permission graph. + // The response includes the broken permission, along with the resources involved in each cycle. + rpc ReadBrokenWatchedPermissions(ReadBrokenWatchedPermissionsRequest) returns (stream ReadBrokenWatchedPermissionsResponse) {} } -message ReadBrokenSetsRequest { - // batch_size specifies the maximum number of broken sets to return in a single response. - // If set to zero, the server will use the default batch size. - uint32 batch_size = 1; +message ReadBrokenWatchedPermissionsRequest { // optional_at_revision defines the specific revision at which the broken sets should be evaluated. // At this time, it is only compared against the revision of the provided backing store snapshot. authzed.api.v1.ZedToken optional_at_revision = 2; } -message BrokenSet { - // resource_type is the type of the broken resource. - string resource_type = 1; - // resource_id is the id of the broken resource. - string resource_id = 2; - // relation is the relation of this broken resource. - string relation = 3; +message ReadBrokenWatchedPermissionsResponse { + // revision is the ZedToken at which the response was evaluated. + authzed.api.v1.ZedToken revision = 1; + // The watched permission that broke. + WatchedPermission watched_permission = 2; + // The resources involved in the cycle. + repeated Resource cycle = 3; } -message ReadBrokenSetsResponse { - // broken_sets contains the list of broken sets found for the requested revision. - repeated BrokenSet broken_sets = 1; - // read_at is the ZedToken at which the broken set applies. - authzed.api.v1.ZedToken revision = 2; +message Resource { + // object_type is the type of the resource. + string object_type = 1; + // object_id is the id of the resource. + string object_id = 2; + // permission_or_relation is the permission/relation. + string permission_or_relation = 3; } From 02ecba66388f19ccba22fc902586c25fc2168f8e Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Thu, 13 Nov 2025 11:45:54 +0100 Subject: [PATCH 07/14] Add import to WatchedPermission --- authzed/api/materialize/v0/brokensets_service.proto | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokensets_service.proto index e10e8f1..e07d6b1 100644 --- a/authzed/api/materialize/v0/brokensets_service.proto +++ b/authzed/api/materialize/v0/brokensets_service.proto @@ -1,6 +1,7 @@ syntax = "proto3"; package authzed.api.materialize.v0; +import "authzed/api/materialize/v0/watchedpermissions.proto"; import "authzed/api/v1/core.proto"; option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0"; @@ -26,7 +27,7 @@ message ReadBrokenWatchedPermissionsResponse { // revision is the ZedToken at which the response was evaluated. authzed.api.v1.ZedToken revision = 1; // The watched permission that broke. - WatchedPermission watched_permission = 2; + authzed.api.materialize.v0.WatchedPermission watched_permission = 2; // The resources involved in the cycle. repeated Resource cycle = 3; } From f86ee7f9c94fc79046081ce85c850412a76eaebe Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Thu, 13 Nov 2025 11:47:30 +0100 Subject: [PATCH 08/14] rename file and fix path --- .../v0/{brokensets_service.proto => brokenpermissions.proto} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename authzed/api/materialize/v0/{brokensets_service.proto => brokenpermissions.proto} (96%) diff --git a/authzed/api/materialize/v0/brokensets_service.proto b/authzed/api/materialize/v0/brokenpermissions.proto similarity index 96% rename from authzed/api/materialize/v0/brokensets_service.proto rename to authzed/api/materialize/v0/brokenpermissions.proto index e07d6b1..ed70683 100644 --- a/authzed/api/materialize/v0/brokensets_service.proto +++ b/authzed/api/materialize/v0/brokenpermissions.proto @@ -1,7 +1,7 @@ syntax = "proto3"; package authzed.api.materialize.v0; -import "authzed/api/materialize/v0/watchedpermissions.proto"; +import "authzed/api/materialize/v0/watchpermissions.proto"; import "authzed/api/v1/core.proto"; option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0"; From 67e9ef43449365c8d5b7b4b81f83f4f8ac9a0765 Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Thu, 13 Nov 2025 12:10:52 +0100 Subject: [PATCH 09/14] Update authzed/api/materialize/v0/brokenpermissions.proto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Víctor Roldán Betancort --- authzed/api/materialize/v0/brokenpermissions.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authzed/api/materialize/v0/brokenpermissions.proto b/authzed/api/materialize/v0/brokenpermissions.proto index ed70683..306f5ad 100644 --- a/authzed/api/materialize/v0/brokenpermissions.proto +++ b/authzed/api/materialize/v0/brokenpermissions.proto @@ -18,7 +18,7 @@ service BrokenPermissionsService { } message ReadBrokenWatchedPermissionsRequest { - // optional_at_revision defines the specific revision at which the broken sets should be evaluated. + // optional_at_revision defines the specific revision at which the broken watched permissions should be evaluated. // At this time, it is only compared against the revision of the provided backing store snapshot. authzed.api.v1.ZedToken optional_at_revision = 2; } From 2db58916755c1eb2843609622d0e9e527a6fcf89 Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Thu, 13 Nov 2025 12:11:08 +0100 Subject: [PATCH 10/14] Update authzed/api/materialize/v0/brokenpermissions.proto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Víctor Roldán Betancort --- authzed/api/materialize/v0/brokenpermissions.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authzed/api/materialize/v0/brokenpermissions.proto b/authzed/api/materialize/v0/brokenpermissions.proto index 306f5ad..230d048 100644 --- a/authzed/api/materialize/v0/brokenpermissions.proto +++ b/authzed/api/materialize/v0/brokenpermissions.proto @@ -28,7 +28,7 @@ message ReadBrokenWatchedPermissionsResponse { authzed.api.v1.ZedToken revision = 1; // The watched permission that broke. authzed.api.materialize.v0.WatchedPermission watched_permission = 2; - // The resources involved in the cycle. + // The resources involved in the cycle. The resource order does not represent the cycle traversal order repeated Resource cycle = 3; } From c0e0bd8ef3cea362cf2cfb95d20b04c8ff70b5bd Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Thu, 13 Nov 2025 12:11:29 +0100 Subject: [PATCH 11/14] Update authzed/api/materialize/v0/brokenpermissions.proto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Víctor Roldán Betancort --- authzed/api/materialize/v0/brokenpermissions.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authzed/api/materialize/v0/brokenpermissions.proto b/authzed/api/materialize/v0/brokenpermissions.proto index 230d048..6e1d082 100644 --- a/authzed/api/materialize/v0/brokenpermissions.proto +++ b/authzed/api/materialize/v0/brokenpermissions.proto @@ -24,7 +24,7 @@ message ReadBrokenWatchedPermissionsRequest { } message ReadBrokenWatchedPermissionsResponse { - // revision is the ZedToken at which the response was evaluated. + // revision is the ZedToken at which the request was evaluated. authzed.api.v1.ZedToken revision = 1; // The watched permission that broke. authzed.api.materialize.v0.WatchedPermission watched_permission = 2; From 47ef97c931deb45e2994300dce87064dcb6d2e11 Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Fri, 14 Nov 2025 09:30:56 +0100 Subject: [PATCH 12/14] Introduce a custom type for broken watched permission --- authzed/api/materialize/v0/brokenpermissions.proto | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/authzed/api/materialize/v0/brokenpermissions.proto b/authzed/api/materialize/v0/brokenpermissions.proto index 6e1d082..10e0090 100644 --- a/authzed/api/materialize/v0/brokenpermissions.proto +++ b/authzed/api/materialize/v0/brokenpermissions.proto @@ -1,7 +1,6 @@ syntax = "proto3"; package authzed.api.materialize.v0; -import "authzed/api/materialize/v0/watchpermissions.proto"; import "authzed/api/v1/core.proto"; option go_package = "github.com/authzed/authzed-go/proto/authzed/api/materialize/v0"; @@ -27,11 +26,18 @@ message ReadBrokenWatchedPermissionsResponse { // revision is the ZedToken at which the request was evaluated. authzed.api.v1.ZedToken revision = 1; // The watched permission that broke. - authzed.api.materialize.v0.WatchedPermission watched_permission = 2; - // The resources involved in the cycle. The resource order does not represent the cycle traversal order + BrokenWatchedPermission watched_permission = 2; + // The resources involved in the cycle. repeated Resource cycle = 3; } +message BrokenWatchedPermission { + // resource_type is the type of the resource to watch for changes. + string resource_type = 1; + // permission is the permission to watch for changes. + string permission = 2; +} + message Resource { // object_type is the type of the resource. string object_type = 1; From b9f09edc41a5c7e9d3d8f5507eb7a59ace07084a Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Fri, 14 Nov 2025 09:32:35 +0100 Subject: [PATCH 13/14] Improve cycle comment --- authzed/api/materialize/v0/brokenpermissions.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authzed/api/materialize/v0/brokenpermissions.proto b/authzed/api/materialize/v0/brokenpermissions.proto index 10e0090..a98d859 100644 --- a/authzed/api/materialize/v0/brokenpermissions.proto +++ b/authzed/api/materialize/v0/brokenpermissions.proto @@ -27,7 +27,7 @@ message ReadBrokenWatchedPermissionsResponse { authzed.api.v1.ZedToken revision = 1; // The watched permission that broke. BrokenWatchedPermission watched_permission = 2; - // The resources involved in the cycle. + // The resources involved in the cycle. The resource order does not represent the cycle traversal order. repeated Resource cycle = 3; } From 66cb2ace3eec4a5d448d65916f1b3d9dd60e6b8b Mon Sep 17 00:00:00 2001 From: Stefano Scafiti Date: Fri, 14 Nov 2025 09:33:35 +0100 Subject: [PATCH 14/14] Update authzed/api/materialize/v0/brokenpermissions.proto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Víctor Roldán Betancort --- authzed/api/materialize/v0/brokenpermissions.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authzed/api/materialize/v0/brokenpermissions.proto b/authzed/api/materialize/v0/brokenpermissions.proto index a98d859..a8da6d5 100644 --- a/authzed/api/materialize/v0/brokenpermissions.proto +++ b/authzed/api/materialize/v0/brokenpermissions.proto @@ -43,6 +43,6 @@ message Resource { string object_type = 1; // object_id is the id of the resource. string object_id = 2; - // permission_or_relation is the permission/relation. + // permission_or_relation is the resource's permission or relation. string permission_or_relation = 3; }