Enable arbitrary nesting of arrow operators

[jzelinskie]

The arrow operator can only be used once in an expression (e.g. org->admin), but should be able to support traversing an arbitrary number of relations (e.g. namespace->org->admin, tenant->namespace->org->admin->member).

This would allow for nested arrows in schema

[jzelinskie]

I just wanted to add documentation here that you can achieve this today by creating intermediary permissions on objects. This is what we've been recommending and what lots of folks have used successfully.

For example:

definition token {}
definition user {
    relation access_tokens: token
}

definition team {
    relation member: user

    // Helper for documents to reach the access tokens
    permission member_tokens = member->access_tokens
}

definition document {
    relation writer_teams: team
    relation reader_teams: team

    // This expands to writer_teams->member->access_tokens
    permission edit = writer_teams->member_tokens
    permission view = reader_teams + edit
}

[yuhan-zhang-zip]

This can be implemented via introducing a intermediate schema layer. So developers can define multiple hops, like writer_teams->member->access_tokens. When spicedb server bootstrap, it could generate the corresponding intermediate permissions on objects so that the generated schema can work with the current system.

[birdayz]

Any plans to implement this? Without, hierarchical relationships are really verbose and hard to maintain.

[josephschorr]

@birdayz Yes, likely as part of https://github.com/authzed/spicedb/issues/1437, since it will involve schema changes anyway