https://authzed.com logo
Join Discord
Powered by
Hi everyone Quick question
# spicedb
t
Hi everyone. Quick question: Is the preshared_key for security purposes only? Are there any best practices, or should I just pick any random long hash? Also, is it possible to rotate it?
y
one non-security use is to give yourself little sandboxes when you're using the 
serve-testing
mode of spicedb
if by "rotate" you mean "have multiple valid preshared keys such that you can roll a new one in and roll the old one out" i don't think that's currently supported
t
Thank you for the fast response! Yeah, I was wondering if I could rotate it every now and then for security reasons. Regarding having multiple keys, how does that work exactly? I saw it on the docs about testing but I couldn't fully understand. Is each key associated with a different schema? And if so, do they all read from the same tuples in the database?
y
no - the idea is that each connection that you make with a different preshared-key essentially gives you sandboxed corner of the in-memory spicedb instance
so you write a schema to it and make API calls against it, and you don't have to worry about cleaning up old data or about calls made using one connection to see data created by another connection
j
> i don't think that's currently supported it is
you just supply multiple with commas (in env) or multiple args on the CLI:
spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-preshared-key="anotherkeyhere"
y
TIL and that is rad!
t
That's nice! I have a couple questions about this option, @Joey : 1- If I start my spicedb instance with multiple keys, are they interchangeable on the client side? 2- In order to change the keys, do I have to bring down the server and start it again, passing another key to the 'serve' command?
j
1) yes
2) yes
but you can rolling deploy
if you use the SpiceDB operator, it'll do so for you
t
Cool! Thank you very much!
2 Views
PreviousNext
Powered by