https://authzed.com logo
#spicedb
Title
# spicedb
r

RobertM

11/10/2022, 7:18 AM
Hi! First of all thank you for setting up this Discord server and allowing people to ask questions! I have a consistency question (I think?). I'm thinking about using SpiceDB in a proxy performing a bunch of authz checks and found myself wondering which consistency would I need to specify when doing CheckPermission there. I wanted to store zedtokens on said proxy level so the services protected by it don't have to care about them. If I store zedtokens in Redis I think following the situation is possible: Starting state: User A has permission to read document stored in a service. ZedToken1 is stored in proxy Redis. T1 - permission is revoked for User A, document is updated, ZedToken2 gets stored in Redis T2 - proxy performs CheckPermission, but because of the Redis consistency ZedToken1 is used If I understand correctly, calling CheckPermission with
fully_consistent
consistency in this situation will guarantee that we will get "no permission", but what about
at_least_as_fresh
using ZedToken1? Is it possible that the permission revoke from T1 is still not propagated in T2 and CheckPermission with
at_least_as_fresh
and ZedToken1 would return "has permission"? Or because of Consistent Hash Load Balancing even though permission revoke is not propagated across all nodes - CheckPermission with
at_least_as_fresh
and ZedToken1 will return "no permission" anyway because we would "talk" to the same node each time?
5 Views