Implementing a Permission-Based Relationship Creation Mechanism in SpiceDB

[arykalin]

Hello. We are currently trying to secure our SpiceDB instance and have come up with a schema protection
mechanism through a schema. It should be noted that we use an RBAC approach, with roles and permissions.
Here is a small and simplified example of our schema (this schema is used to protect a private cloud):

definition cloud {
	relation cloud_user: user:*
	permission create_namespace = cloud_user
}

definition namespace {
	relation admin: user
	relation editor: user
	relation viewer: user

	permission create_virtual_machine = admin + editor
}

definition virtual_machine {
	relation namespace: namespace

	permission update = namespace->admin + namespace->editor
	permission delete = namespace->admin + namespace->editor
	permission read = namespace->admin + namespace->editor + namespace->viewer
}

We are thinking about how to determine who can create relationships between entities.
The problem is that we have many services and they all need access to create almost all entities in the schema.
It turns out that if one of the services is compromised and an attacker gains access to the SpiceDB API key,
they will be able to create relationships between any entities. To solve this problem, we came up with a "scopes"
mechanism.
The essence of it is as follows: for each relation, we write a separate rule that specifies which permissions should be
checked for creating the relation. Here is an example to create a relation between virtual_machine and namespace:

- resource:
    resource: virtual_machine
    relation: namespace
    operation: TOUCH
  permission:
    resource: namespace
    resource_id: SUBJECT_ID
    permission: create_virtual_machine
    condition: NO_CONDITION

It states that to create a relationship between virtual_machine and namespace, you need to check the
create_virtual_machine permission on the namespace.
The condition option allows you to specify additional conditions for permission checks. And here is an example of scope
rule to delete relation:

- resource:
    resource: virtual_machine
    relation: namespace
    operation: DELETE
  permission:
    resource: virtual_machine
    resource_id: RESOURCE_ID
    permission: delete
    condition: NO_CONDITION

We implemented this mechanism as an interceptor through custom middleware in SpiceDB.
As a result, since we pass the user ID from the client to SpiceDB, we can check the user's permissions to create the
relationship.

This concept initially worked well, but as the schema became more complex, the scope rule configuration also became more
complex. As a result, now to make changes to the schema, it takes quite a lot of time to coordinate all the scope rules.
For example, any user can create a namespace, after creating the namespace they become its admin, but in essence for
SpiceDB namespace
is just a record of the admin relation. Therefore, we have to make a scope rule that says anyone can create a namespace,
but only if such a namespace does not already exist in the database:

- resource:
    resource: namespace
    relation: admin
    operation: TOUCH
  permission:
    resource: cloud
    resource_id: cl0
    permission: create_namespace
    condition: CONDITION_UNIQUE

And we haven't even gone to production yet, and I'm already spending 90 percent of my time developing and maintaining
this scope mechanism)))

In general, I wanted to ask if anyone has implemented a similar mechanism, maybe I'm trying to reinvent the wheel, and
there are ready-made solutions?
Or maybe you have done something similar and realized that it is not worth it,
and it is better to set up regular SpiceDB key separation as it is done in the paid version.