https://authzed.com logo
#spicedb
Hi everyone Quick question
# spicedb
t

Toi

04/17/2023, 8:52 PM
Hi everyone. Quick question: Is the preshared_key for security purposes only? Are there any best practices, or should I just pick any random long hash? Also, is it possible to rotate it?
y

yetitwo

04/17/2023, 8:55 PM
one non-security use is to give yourself little sandboxes when you're using the
serve-testing
mode of spicedb
if by "rotate" you mean "have multiple valid preshared keys such that you can roll a new one in and roll the old one out" i don't think that's currently supported
t

Toi

04/17/2023, 8:59 PM
Thank you for the fast response! Yeah, I was wondering if I could rotate it every now and then for security reasons. Regarding having multiple keys, how does that work exactly? I saw it on the docs about testing but I couldn't fully understand. Is each key associated with a different schema? And if so, do they all read from the same tuples in the database?
y

yetitwo

04/17/2023, 9:12 PM
no - the idea is that each connection that you make with a different preshared-key essentially gives you sandboxed corner of the in-memory spicedb instance
so you write a schema to it and make API calls against it, and you don't have to worry about cleaning up old data or about calls made using one connection to see data created by another connection
j

Joey

04/17/2023, 9:55 PM
> i don't think that's currently supported it is
you just supply multiple with commas (in env) or multiple args on the CLI:
spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-preshared-key="anotherkeyhere"
y

yetitwo

04/17/2023, 11:00 PM
TIL and that is rad!
t

Toi

04/24/2023, 6:38 PM
That's nice! I have a couple questions about this option, @Joey : 1- If I start my spicedb instance with multiple keys, are they interchangeable on the client side? 2- In order to change the keys, do I have to bring down the server and start it again, passing another key to the 'serve' command?
j

Joey

04/24/2023, 6:38 PM
1) yes
2) yes
but you can rolling deploy
if you use the SpiceDB operator, it'll do so for you
t

Toi

04/24/2023, 6:39 PM
Cool! Thank you very much!
2 Views