Hi team - is there a recommendation of SpiceDB #spicedb

Hi team - is there a recommendation of

06/24/2025, 4:01 PM

Hi team - is there a recommendation of handling updating zookies for async updates? Our current design is upon updates to db objects, services call spicedb async (with a celery worker) to propagate changes. The issue is the zookie won't be returned to the service, and when service issues CheckPermission calls it won't have the updated zookie.

yetitwo

06/24/2025, 5:07 PM

typically we recommend that the zedtoken be saved in the resource's row

yetitwo

06/24/2025, 5:08 PM

if you're doing that, you can have the async job that writes to SpiceDB also write to the table

06/24/2025, 5:45 PM

sorry just so i understand - lets say we have a user object stored in service db. you're saying on each row of the user table, the async task will write back the zedtoken? how would the service know which zedtoken to use when issuing CheckPermission calls that span multiple user rows?

yetitwo

06/24/2025, 5:50 PM

not of the user table - it'd be the resource part of the relation write

yetitwo

06/24/2025, 5:51 PM

and as for which token to use with something like

CheckBulkPermissions

, we don't currently have an easy way to compare zedtokens, but we're working on a proposal for a "zedtoken jar" that would address this use case

06/24/2025, 5:54 PM

gotcha. what if i maintain a global zedtoken in each container running the service so it gets overwritten each time a async update happens? what's the tradeoff of storing separate zedtokens in each resource row?

yetitwo

06/24/2025, 7:14 PM

the issue there is that you're functionally invalidating your cache every time there's a write

yetitwo

06/24/2025, 7:15 PM

it's slightly better than

fully_consistent

, especially if your write velocity is relatively low, but it's much worse than using

minimize_latency

or a more fine-grained

at_least_as_fresh

approach

2 Views

Previous Next