Hello! I am using at_least_as_fresh
# spicedby
Yaroslav
09/25/2024, 2:25 PMHello! I am using at_least_as_fresh consistency but sometimes encounter issues. I send a /write request to create the relationship user1 -> owner -> project1, then I take the ZedToken from the response and send a /check request to verify that user1 is the owner of project1. However, I receive a PERMISSIONSHIP_NO_PERMISSION response.
Yaroslav
09/25/2024, 2:27 PMI have between 5 and 10 SpiceDB pods. Could it be that the ZedToken hasn't propagated between the instances?
v
vroldanbet
09/25/2024, 2:30 PMThat shouldn't happen. What datastore are you using?
y
Yaroslav
09/25/2024, 2:40 PMpostgress
Yaroslav
09/25/2024, 2:50 PMlook how often i have fallbacks, i send this metric when i should have permission but i don`t have. I checked all logs and all users has permissions to their entities in SpiceDB if i use minimizeLatence or fullyConsistent. So , the problem is in at_least_as_frash witch i use.
https://cdn.discordapp.com/attachments/1288506769022386297/1288512922280263690/Screenshot_2024-09-25_at_16.46.38.png?ex=66f574ac&is=66f4232c&hm=d50c71f1bc5e4047d2cbbc5ac02aa5de61ca343f85f0ad6d8dd2fea6fc2538c0&
Yaroslav
09/25/2024, 2:54 PMI save only one ZedToken for all users in Redis, and of course, I have parallel requests to SpiceDB, so my ZedToken might not be saved atomically.
But, i don`t think that it can be a problem if i use at_least_as_fresh
v
vroldanbet
09/25/2024, 3:31 PMare you using read replicas?
vroldanbet
09/25/2024, 3:31 PMwhat version of postgres are you using? is it a managed service?
j
Joey
09/25/2024, 3:54 PM> I save only one ZedToken for all users in Redis
that could certainly do it. ZedTokens should be saved on a per-resource basis, not on a per-subject basis
y
Yaroslav
09/25/2024, 5:00 PMno, i don`t use replicas
v
vroldanbet
09/25/2024, 9:37 PMCan you describe more how you store ZedTokens?
y
Yaroslav
09/26/2024, 7:50 AMafter ever write request i store ZedToken in redis, if i dont have cached one. I send request witn minimizeLatency and take token from response
Yaroslav
09/26/2024, 7:58 AMi have logic when i save relation and check it after 2 miliseconds with AtLeastAsFresh and see PERMISSIONSHIP_NO_PERMISSION
i think that i should save ZedToken for each user with small ttl and if ZedToken exists in cache i should send request with AtAxactSnapshot consistency
v
vroldanbet
09/26/2024, 9:18 AMzed tokens are not associated with users. They should be associated with the content that has been modified, in order to prevent the new enemy problem.
Are you storing one single entry for all zedtokens in redis? or do you have a mapping resource -> zedtoken? because if it's user -> zedtoken, that's wrong.
y
Yaroslav
09/26/2024, 11:35 AMi save only one ZedToken in SpiceDB
Yaroslav
09/26/2024, 11:38 AMi have millions of resources, save ZedToken for each resource its too much)
v
vroldanbet
09/26/2024, 12:38 PMwell that's the reason why it's not working as expected
14 Views