Hi, I have another question 🙂 Now I'm SpiceDB #spicedb

Hi, I have another question 🙂 Now I'm

Gadric

11/13/2023, 12:22 PM

Hi, I have another question 🙂 Now I'm running a default spicedb deployment & a readonly deployment. When I run a PermissionServiceClient.CheckPermission() request to the readonly node I get the error

unable to check permission: rpc error: code = PermissionDenied desc = invalid preshared key: invalid token

. The ReadSchemaRequest which is executed right beforehand will not fail. Now I deployed the same setup (1 postgres, 1 readonly spicedb node, 1 default spicedb node) with the same version (v1.20.0) locally and I don't run into any issues. Does anyone have an idea what the problem could be? The psk is the right one. Which I prove by intentionally passing the wrong PSK to the read only client. Which then will result in a failing ReadSchemaRequest() too.

vroldanbet

11/13/2023, 12:41 PM

The fact this works for schema read and not check request immediately tells me a problem on the Dispatch API. A node may be dispatching to another one, and somehow the preshared key are different. Is it possible the read-only cluster and the r/w cluster are forming a single clustering ring?

vroldanbet

11/13/2023, 12:41 PM

I suggest enabling trace logs to see if you get extra information on what could be going on

vroldanbet

11/13/2023, 12:42 PM

a quick way to confirm is to make both clusters have the same preshared key and see if that works

Gadric

11/13/2023, 1:49 PM

That was the problem. I just copy & pasted the config on my k8s cluster. I have disabled

SPICEDBB_DISPATCH_CLUSTER_ENABLED

and now it works. Funny enough I also thought this could be the problem before I took a nap. Thanks for beeing my rubber duck 😄

Previous Next