Questions related to design

[kushsharma]

I am going through the shield to understand the current design, I have a couple of questions related to it:

1. APIs for creating a user accept User model that has slug defined but the User model for shield doesn't have it, nor does it persist in the database? Do you know if this is a bug?
2. The validation rules defined in protobuf are not really used to validate anywhere in the shield, is this by design?
3. If I go with validation rules defined for the name of the User, it doesn't accept spaces. My understanding of the name was to use something like Kush Sharma, is this incorrect?
4. For users I see we are using a dedicated table to manage metadata and have dropped metadata column from users table but this is not the same for rest of the models like org or group. Is this because we wanted to query metadata via key in users?
5. In a recent commit on protos a lot of useful APIs were removed which were used for shield management, are we replacing them with something else? For example, how am I supposed to add admins to the group now?
6. I don't see a direct 1-to-1 mapping of a user to an organization, user gets added to a group and the group is attached to an org. Does that mean before creating users, it is mandatory to create a group?
7. I see a relations table being introduced in recent commits, is the way moving forward to manage 1-to-1 or 1-to-many relationships? Even for a group to org? It's managed via a column in the group table currently.
8. I went through the documentation and I got the gist of how the proxy is working but the authz part was lacking some critical explanations like how is resources_config shown in Tour is really built. How am I supposed to know how to model a system type or a resource_group? How do they really fit? Can we explain it via a small use case in the docs? I tried using the config directly as it is and it throws a bunch of errors, is the config outdated?
9. Currently to make changes in protobuf files and use the latest commit, due to the last commit for API cleanup, we can't really contribute to Shield(compilation errors). Is this parity difference between shield source and proton planned to be picked up on priority?

I wanted to understand the onboarding flow of it to start using it efficiently. I am trying to list a set of steps I got to understand, help me correct if there are better alternatives to the following flow.

1. I create an empty resources_config file, create a basic ruleset file and create a shield config file.
2. I start spicedb via docker image and then start shield on my local machine.
3. First thing I should do is create a User object and then create an organization. To attach a user to an org should I create a group first? If I want to add a user to multiple organizations, should I create multiple groups attached to organizations and then attach this User to each one of the group?
4. If the answer to the above is yes, what if we automatically create a default group as soon as an organization is created to ease this process?
5. I want to list all the orgs a user belong to, should I first list all the groups it belongs to and then query org one by one? Is this the right approach?
6. If I want to attach metadata to a user, say lastname, then I have to first create a key in metadata as lastname and then actually pass it with User while creating/updating it, why not create these keys automatically when the request arrives? How is this flow of manual creation helping?
7. What should be the correct implementation of querying a user by its username/slug? Or this is not supported yet due to the bug discussed above?

[ravisuhag]

@kushsharma Do we have answers to all the questions now?

[kushsharma]

@ravisuhag yes we can close this